First State Super breached Privacy Act

The First State Super Trustee Corporation (FSS) has been found to have breached the Privacy Act after its systems were compromised in an incident in October 2011.

update The First State Super Trustee Corporation (FSS) has been found to have breached the Privacy Act after its systems were compromised in an incident in October 2011.

As reported by Risky Business at the time, OSI Security director and principal consultant Patrick Webster, discovered that information from FSS' systems were vulnerable to snooping by other customers of FSS. But upon reporting the incident to the superannuation fund, FSS contacted NSW Police who then went to Webster's residence and questioned him as a suspect in a hacking case.

While Webster was eventually not charged, the vulnerability he uncovered was still significant. The Privacy Commissioner opened an investigation into the matter and in its report found that personal information that could be downloaded from FSS included member names and addresses, details of superannuation account transactions, balances and members' ages.

According to the report, FSS had conducted its own penetration tests prior to the incident with its contracted auditing firm, Pillar Administration, performing over 200 security tests, but failing to reveal the flaw Webster would later point out. This was due to the tests' scope being restricted to a small area of FSS' activities, and thus completely missing the vulnerability.

However, the commissioner's report noted that Pillar's website monitoring system had detected an anomaly prior to Webster notifying FSS, and even if Webster had not informed the superannuation fund, it should have been able to close its vulnerabilities.

"In the Commissioner's view, FSS would therefore have had the capacity to remedy this flaw in its system, even if it had not been advised of the vulnerability by [Webster]. However, because testing was limited, the vulnerability was not discovered until it had already been exploited," the report read.

Due to FSS' inaction prior to the incident, the report concludes that FSS breached National Privacy Principle 4.1, which "requires organisations to take 'reasonable steps' to protect the personal information they hold, from misuse and loss, and from unauthorised access, modification or disclosure".

FSS has accepted the report, but remains adamant that no user details were compromised.

"We acknowledge the commissioner’s finding that our data security at the time was inadequate, but it is important to understand that at no time was there any opportunity for fraudulent transactions to occur," FSS chief executive officer Michael Dwyer said in a statement.

"Clearly, the breach was not insignificant. We have apologised to our members, and they can have every confidence that their personal information and their accounts are subject to stringent security protocols, including regular ongoing security testing and reporting by highly regarded, independent specialist IT security consultants."

FSS' actions in improving its security, which includes immediately containing the incident, conducting an internal investigation, reviewing its security and seeking external advice, have led the commissioner to cease its investigation on the basis that "the response to this incident appears adequate in the circumstances".

As for Webster, he appears to be clear of any perceived wrong-doing, with the report noting that "there is currently no ongoing legal action against [Webster] by either FSS or NSW police".

Updated at 2.57pm, 8 June 2012: added comment from First State Super.