Govt contractor exposes personal info of 50,000 Aussies

The sensitive information of nearly 50,000 Australian citizens and 5000 public servants was exposed in a massive federal government data leak, according to reports.

The leak was discovered by a Polish security worker and first reported by ITNews on Thursday. It involved personal details including full names and in some cases credit card and other payment details accidentally posted online by an IT contractor.

Records of employees from the Department of Finance, the Australian Electoral Commission, National Disability Insurance Agency as well as private sector workers from AMP, UGL and Rabobank were all exposed in a misconfigured storage AWS cloud service that was publicly accessible.

The affected agencies have been working with the Australian Cyber Security Centre and the Information Commissioner to develop a response to the breach.

The government is playing down the impact of the leak, with a PM&C spokesperson telling the ABC that the data exposed did not include any national security data or classified material, and was historical, archived and partly anonymised.

But Shadow Digital Economy Minister Ed Husic countered that this is a serious breach that should be taken seriously. He insisted that the buck stops with the government and not the contractor in terms of assigning blame.

Content Security CTO Ken Pang said the issue lies with the fact that criminals have discovered a way to derive AWS S3 Bucket names from the generated strings and are using the method to scan for insecure buckets.

“Organisations who use Amazon should investigate whether they are using S3 Buckets, and whether appropriate permissions have been applied to their buckets,” he said.

“Australian organisations need to understand that as they move to the cloud they could be increasing their exposure and may need specialist consulting to assist them in securing their cloud workloads. This breach also highlights the importance of third-party audits and proper policy and procedures.”

A Malwarebytes senior sales engineer said the debacle demonstrates that “you can’t outsource the responsibility of security. Amazon have very good guidelines around securing your data but the responsibility lies with the individual and the company using the cloud environment. The cloud has blurred many individuals’ and companies’ expectations of where responsibility for security sits.”

LogRhythm Director of Sales for ANZ Simon Howe agreed, stating that widespread uptake of virtualisation and cloud computing has left unseen security gaps in the IT infrastructure of every organisation.

“This is a serious issue that is being ignored despite the warning signs which are clear and the meltdown has already happened. Virtualisation technology brings a whole new ball game to why companies should have a security-first mindset when deploying any new technology,” he said.

“When you combine the dynamics and ease of use, coupled with privileged user access, then with the wrong controls in place you have a recipe for disaster... Organisations that choose to be complacent will risk being part of the most catastrophic system failure that we have ever seen.”

Image credit: ©stock.adobe.com/au/tashatuvango