Telstra discovers Pacnet security breach after takeover
Telstra has admitted to discovering a security breach of Pacnet's corporate IT network shortly after finalising the AU$697 million purchase of the company in April.
The company announced on Wednedsay that it had begun informing customers and regulators in the relevant countries that an SQL injection on a web application server in Pacnet's network had allowed access to its network, and a third party had gained access to Pacnet's corporate IT network including its email and administrative systems.
Latest Australian news
Pacnet discovered and fixed the vulnerability on April 3, just under two weeks before Telstra finalised its purchase of Pacnet on April 16.
Telstra's own network is separate from the Pacnet network, at this stage.
Telstra was only informed of the breach on April 16, and put in place additional monitoring and oversight on the network.
Group executive of global enterprise services, Brendon Riley, said the company had now been working to inform customers.
"Now we have addressed the breach and understand its potential impacts. We are in the process of advising our Pacnet customers worldwide of what occurred and reassuring them that we are now applying the same high level of security we apply to Telstra's networks," he said.
Riley told journalists that it would have been better for Pacnet to have informed Telstra of the breach prior to the deal's completion.
"I think it would have been good to know about it prior to completion, but they were managing and dealing with it, but from their perspective they thought they were doing the right thing, and as soon as completion occurred, we were advised of it.
Telstra's chief information security officer Mike Burgess said that while there was no evidence that data had been taken, it could not be ruled out.
"We just have to be very open that that is still a possibility and we need to be ready to deal with that."
The Australian Federal Police is a customer of Pacnet, and Telstra could not rule out that AFP information may have been accessed in the breach.