​Government sites hit by Aussie Travel Cover hacker

An unknown number of government websites have been compromised by a hacker who reportedly exfiltrated more than 770,000 records from the computer system and database of Australian travel insurer Aussie Travel Cover.
Written by Leon Spencer, Contributor

A hacker who reportedly exfiltrated more than 770,000 records from the computer system and database of Aussie Travel Cover, one of Australia's largest travel insurance companies, has also compromised an unknown number of government websites.

On December 18 last year, Aussie Travel Cover, a privately owned agent of Allianz, was made aware that its computer system had been hacked, it was revealed by the ABC's PM program on Monday, January 19.

The hacker exfiltrated more than 770,000 records, including names, phone numbers, email addresses, travel dates, and policy prices from the website's database.

According to the ABC, the insurer let third-party agents know about the hack on December 23, a few days after it became aware of the data breach, while policy holders -- its customers -- were left in the dark.

Under current Australian legislation, companies are not required to disclose data breaches.

Australia's Privacy Commissioner Timothy Pilgrim said that he had been told about the breach on December 22, but is still deciding whether to investigate, the ABC reported.

The hacker, whose goes by the online alias "Abdilo" and claims to be a teenager based in Queensland, exploited an SQL injection vulnerability to exfiltrate the records. According to his own claims posted on Pastebin.com, he has used the same technique to compromise dozens of sites.

These include government organisations at state and federal levels, along with the sites of educational institutions, and dozens of other public and private sector organisations in Australia and abroad.

Abdilo's list of targets contains at least eight websites operated by government entities at state and federal levels, including those of the Australian Communications and Media Authority (ACMA), the Victoria Police, the Australian Nuclear Science and Technology Organisation (ANSTO), and the Australian Public Service Commission.

However, of the government entities that have responded to ZDNet's queries, those that confirmed they were aware of an attack by Abdilo indicated that the sites compromised were public-facing portals that did not contain any sensitive or private information.

"A Twitter user 'Abdilo' tweeted on December 4 that an ACMA automated fee calculator was vulnerable to a SQL injection attack," a spokesperson for the ACMA told ZDNet. "This site is a stand-alone website used only to host a public-facing portal, and has no link to any ACMA network. There is no evidence there has been any data exfiltration."

Likewise, a spokesperson for ANSTO indicated that the part of its website that was compromised by an attack is public-facing, and also contained no sensitive or non-public information.

"ANSTO is aware part of a computer database was accessed that holds non-secure data, which was scheduled to be released, and have passed information on to the relevant authorities," the spokesperson told ZDNet. "I understand the area included some work details of scientists applying to use ANSTO instruments, and a database from the ANSTO library which collates publicly available scientific reports.

"Information such as publication and experiment titles, names of researchers, and which experiments are running are included in the database, most of which is currently publicly accessible on our website or released after two or three years anyway.

"As is par for the course for any organisation in this day and age, public or private, once it was identified, we improved that section of the network," he said.

The claims seem to be backed up by the Office of the Australian Information Commissioner (OAIC), which told ZDNet at the time of writing that it had not received any data breach notifications from either the ACMA or ANSTO.

Government agencies may only notify the OAIC of a data breach if personal information is compromised in an attack.

The comments from the ACMA and ANSTO stand in stark contrast to the claims made by Abdilo, who said in his Pastebin.com post that in December, the hacker "broke into some pretty big .gov.au sites like acma, ansto, police.vic.gov.au".

Additionally, Abdilo wrote that the "whole plan was to mess with ansto's nuclear reactor, but the closest I got was stealing all of their error logs & chemicals & scientist doxes lol (which i ended up loosing [sic] by a corrupted truecrypt drive LOL)."

The hacker also claims to have joined black hat hacking group LizardSquad in August last year, hosting lizardsquad.ru and lizardsquad.com, and then left the group in October -- prior to the group taking down the Xbox and PlayStation networks in December.

Journalist and digital security expert Brian Krebs said in an article published in December on his Krebsonsecurity.com site that the individual who registered LizardStresser is an "interesting and angry teenager who appears to hail from Australia" who uses the nickname "Abdilo".

However, Abdilo claims that the LizardStresser.su domain referred to by Krebs was, in fact, created by another LizardSquad member.

It appears that since Abdilo's December attack on Aussie Travel Cover, the hacker has been having a go at other organisations in the Australian insurance and finance sectors.

On January 16, Abdilo tweeted, "@GIOInsurance i sent you an email the other day trying to report a sqli to you...might wanna check your emails" and, also on January 16 tweeted, "@investsmart_au check your emails if you want the sqli in your site".

While NSW Police claims that its Cybercrime Squad has not received any reports relating to the NSW-based websites named in Abdilo's target list, the Australian Federal Police has confirmed that it is aware of the matter, but would not go so far as to say whether it is currently investigating.

"The AFP has a long-standing practice of not confirming or denying who it is investigating," an AFP spokesperson said in a statement. "Activities such as hacking, creating, or propagating malicious viruses or participating in DDoS attacks are not harmless fun.

"Criminal acts such as this can result in serious long-term consequences for individuals, such as criminal convictions or imprisonment," the statement said.

Editorial standards