The Australian Department of Social Services (DSS) has confirmed the third-party breach of its previous credit card management system, with data reportedly exposed by Business Information Services over an 11-year period containing the names, usernames, work phone numbers, work email addresses, and system passwords of department employees.
As first reported by the Guardian, DSS CFO Scott Dilley had written to 8,500 current and former employees warning them of the breach back in early November, explaining there was "a data compromise relating to staff profiles within the department's credit card management system prior to 2016".
It is reported that Business Information Services advised the department the data was "open" from the period spanning June 2016 through October 2017, and related back as far as 2004 through to 2015.
The letter from Dilley, according to the Guardian, blames "the actions of the department's third-party provider" and says the compromise "is not a result of any of the department's internal systems".
"The data has now been secured," Dilley is quoted as writing in the letter sent to DSS staff, adding also there was "no evidence" of improper use of the data or the department's credit cards.
A spokesperson for DSS told ZDNet that on October 3, 2017, the department was notified by the Australian Signals Directorate of the compromise.
The Australian Cyber Security Centre (ACSC) immediately contacted Business Information Services to secure the information and remove the "vulnerability" within hours of notification, the spokesperson added.
They also said DSS has been working with the ACSC and the Office of the Australian Information Commissioner (OAIC) in response to the breach, with around 2,000 current staff and 6,500 former employees notified.
According to DSS, this vulnerability has been contained and the department is "working" with Business Information Services to "ensure effective arrangements are in place, and to support affected staff".
Last year, a 1.74GB MySQL database backup containing 1.3 million rows and 647 different tables from the Australian Red Cross Blood Service's DonateBlood.com.au website was found to be publicly available.
The data originated from an online donor application form that contained details including name, gender, address, email, phone number, date of birth, country of birth, blood type, and other donation-related data, as well as appointments made.
An investigation from the OAIC found that a file containing information relating to approximately 550,000 prospective blood donors was saved to a publicly accessible portion of a webserver managed by a third party provider, Precedent Communications.
The data breach occurred without the authorisation or direct involvement of the Blood Service, and was outside the scope of Precedent's contractual obligations to the Blood Service.
In February next year, organisations in Australia will need to disclose incidents involving personal information, credit card information, credit eligibility, and tax file number information of individuals that would put them at "real risk of serious harm" under the country's impending data breach notification laws.
The new laws mandated under the Privacy Amendment (Notifiable Data Breaches) Act apply only to companies covered by the act, and therefore see intelligence agencies, small businesses with turnover of less than AU$3 million annually, and political parties exempt from disclosing breaches.
The following May, the General Data Protection Regulation (GDPR) will come into play, requiring organisations around the world that hold data belonging to individuals from within the European Union (EU) to provide a high level of protection and explicitly know where every ounce of data is stored.
Under Australia's data breach notification laws, organisations have 30 days to declare the breach; under the GDPR, organisations have 72 hours to notify authorities after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
If an Australian organisation has an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU, they are bound by the GDPR requirements, should the breach be related to any of the above.
PREVIOUS AND RELATED COVERAGE
The Office of the Australian Information Commissioner will be conducting assessments of government agencies over the coming year to confirm their compliance under privacy obligations.
The Office of the Australian Information and Privacy Commissioner has published draft resources for the Notifiable Data Breaches scheme, asking for public comment.
The government-backed broadcaster has confirmed that data from an unsecured repository was exposed.
The Joint Committee of Public Accounts and Audit wants the government to include the additional four steps in its list of mandatory infosec strategies.
With a background in healthcare and IT, Future Wise's Trent Yarwood has said the intrusive level of detail on people's lives that has made its way public could be reassembled and shouldn't be downplayed, especially by the government.
Moving the authentication platform, educating citizens, and stricter privacy controls were among the steps recommended to the Department of Human Services by a review into heath providers' access to the Health Professional Online Services system.
The company's former chief security officer kept the hack a secret.