AAPT privacy breach censure a "wake-up call"

Australia’s privacy commissioner last week found telecom corporate and wholesale service provider AAPT to have breached the Privacy Act for failing to adequately protect customer data during a hacking incident in 2012.

While AAPT will not be fined over the incident, as the commissioner does not currently have powers to impose penalties for cases investigated under his own initiative, new amendments coming into effect in March 2014 will change this.

In July last year, members of hacktivist group Anonymous stole archived AAPT customer data stored on servers hosted by IT contractor Melbourne IT and published the details online.

The personal information was used to verify AAPT business customers and included information collected for the purpose of obtaining credit reports.

At the time, the perpetrators told SC Magazine they had breached the dedicated server through a security vulnerability in an unpatched version of Adobe Cold Fusion.

In a statement, Privacy Commissioner Timothy Pilgrim said the incident “highlights the importance of having appropriate security systems and contractual arrangements in place to avoid a breach such as this. Organisations should ensure that contracts with IT suppliers are clear about which party has responsibility for identifying and addressing data security issues.

“More should have been done to appropriately manage and protect the information involved. Using older versions of applications and software when newer versions are available is a risk that needs to be actively managed, particularly when personal information is involved.”

Pilgrim added that the compromised servers contained old customer information that AAPT no longer needed - in violation of the Privacy Act.

He noted that the upcoming amendments to the Act will give the commissioner new powers when investigating privacy breaches. “From that date I will be able to obtain enforceable undertakings from organisations and, in the case of serious or repeated breaches, seek civil penalties.”

IBRS advisor James Turner said it is important to understand that when an organisation is breached, it’s not the organisation’s fault. “We need to remember that the fault lies with the attacker. It’s not the fault of a shop if it’s robbed and it’s not the fault of a person if they are mugged.”

That said, there are always steps an organisation can take to improve its security stance or minimise the impact of an attack, he said. “In the case of AAPT, Pilgrim stated that they could have done more, and it seems he would have liked to fine them. This indicates that in the view of the [commissioner], it was reasonable to expect that AAPT could have done more to protect the disclosed information.”

Rob McMillan, Gartner research director for security and privacy, said the AAPT breach appears to boil down to a process failure, which is not an uncommon issue. “It’s not always a simple thing to go and just fix vulnerabilities ... But the majority of vulnerabilities [are] imminently fixable - it’s a very simple thing to do - and as we’ve seen in this case here, it could save a lot of grief.”

He said the incident should serve as a “wake-up call for organisations in this country that you can’t afford to be slack over simple stuff. The Office of the Australian Information Commissioner has come out and said that it’s looking to have some examples and enforce this legislation. They’ve nailed their colours to the mast, they’re taking this very seriously ... and I think that requires a response from any Australian organisation.”

Complying with the new privacy rules could require changes to organisations’ culture, technology and processes, and the most important of these is the cultural side, he said. “Organisations that don’t have that culture already are also less likely to have the right processes, the right technology. It’s one thing to implement technology and process but change in culture takes a long time.”

IBRS’s Turner said organisations should be preparing now. “Australian organisations should have an extensive review of their information assets and know where these are, and how they are protected. IT departments should be working closely with in-house legal counsel, and HR, to ensure that the organisation knows its legal exposure. As much as I don’t think most Australian organisations are ready for the Privacy Act amendments, I think the bigger issue is that most are probably not aware of their level of exposure.”

McMillan said for organisations wishing to prepare for the amendment, “Reading it would be a great start. You’ve got to have someone that’s going to have some accountability, someone who’s got enough time and enough headspace to think through the raft of reforms.  And each organisation really needs to make an assessment about how [the reforms] affect them.”

Some organisations will be ready in time for the amendments, but others may struggle to comply, he said. “It will be like most legislative reform that we see - some will take it seriously and some won’t, and those who won’t will get caught out.”

The fines the commissioner will be empowered to mete out for serious breaches will be capped in the low millions, which will mean little for monolithic companies with billions in revenue. But McMillan said the negative publicity from a privacy breach is a much more meaningful penalty than a fine for large companies, and privacy has become such a hot-button issue worldwide.

“That’s the interesting thing about this,” he said. “Before the commissioner had naming and shaming and not much else. Now there is the ability to impose financial penalties, but the profile of this issue I’d suggest is much higher than it’s been in the past, and it’s probably going to remain much bigger than it’s been for a long time yet.”

Image courtesy of Alan Cleaver under CC