That information was held on Melbourne IT's systems. At the time of the incident, Melbourne IT CEO Theo Hnarakis told ZDNet that "whether it's current, whether it's historic, it's not our data", and it had not involved the privacy commissioner.
The commissioner became involved anyway when he launched an own-motion investigation into the matter to determine whether either company had violated Australia's National Privacy Principles (NPPs). AAPT has already been given a warning by the Australian Communications and Media Authority for violating the Telecommunications Consumer Protection Code.
Pilgrim found AAPT to be in breach of two sections of the NPPs — Security of personal information (NPP 4.1), and Retention of personal information (NPP 4.2).
For NPP 4.1, which looks at whether "reasonable steps" were taken to secure information, Pilgrim sided with Melbourne IT. He wrote that he "took the view that AAPT held the information for the purposes of NPP 4.1, despite it being stored on Melbourne IT's server. This meant that AAPT had an obligation to comply with NPP 4.1 in relation to the information."
Although the server was meant to be managed by Melbourne IT, the breakdown of applications and patches were separate. Keeping applications up to date with security patches was considered to be Melbourne IT's responsibility, but the actual application version was AAPT's.
In this case, the Adobe Cold Fusion instance, which allowed Anonymous to attack the server, had all of its security updates applied, but was an old version that has since been superseded.
AAPT had a security contract in place with Melbourne IT, but it failed to specify any vulnerability scanning, or for its host to identify any risks. Pilgrim also wrote that it wasn't clear whether AAPT was aware of what personal information was on the server.
"AAPT failed to take its own steps to appropriately manage and protect the information, and did not have adequate contractual measures in place to protect the personal information held on the compromised server. AAPT continued to use a seven-year-old version of Cold Fusion, which was generally known to have vulnerabilities when newer versions were available."
NPP 4.2, on the other hand, looks at whether it is necessary to retain personal information. Pilgrim noted that AAPT has policies for destroying personal data when necessary, but said that the awareness of these policies is low. Furthermore, they were not being followed by staff involved at the time of the incident.
Although AAPT is not subject to formal fines, from March next year, additional powers granted to the commissioner will mean that Pilgrim will have the ability to make determinations from own-motion investigations, accept written undertakings, or hand down civil penalties. These can range from AU$340,000 for individuals and up to AU$1.7 million for companies.