Australian Government Contractor Exposed 50,000 RecordsMisconfigured, Unprotected Amazon S3 Bucket Blamed for Data Exposure
Nearly 50,000 personal records relating to Australian government employees as well as employees of two banks and a utility were exposed to the internet due to a misconfigured Amazon cloud storage server that was storing backup data.
The backups to the Amazon Simple Storage Service, which were made in March 2016, belong to a third-party contractor, iTnews reports. The publication, which first reported the story, says it was tipped off to the breach by a Polish security researcher who goes by "Wojciech."
Labour MP Ed Husic, the party digital economy spokesman, says the latest breach should have been made public sooner rather than first being revealed in the press.
"The government cannot claim that it is not to blame for the actions of a contractor," Husic tells national broadcaster ABC. "Ultimately the buck stops somewhere. This is a serious breach and the government should treat it seriously."
The data exposure is the latest in a string of significant breaches to have affected Australia.
Last month, the Australian government revealed that hackers had breached a small domestic military contractor and stolen 30 GB of information on key defense systems, including the country's F-35 Joint Strike Fighter program (see Hacker Steals Joint Strike Fighter Plans in Australia).
The biggest known breach of Australians' personal information was revealed in October 2016 after an IT services contractor inadvertently posted online personal details for 550,000 registered blood donors. Australian Red Cross apologized for the breach (see California Auto Loan Firm Spills Customer Data).
The data exposed in the Amazon S3 backup included names, email addresses, phone numbers, IDs, passwords, some credit card numbers and details about staff salaries and expenses, iTnews reported.
Some 4,477 records pertained to Australia's Finance Department, the Electoral Commission and the National Disability Insurance Agency. A fourth government agency was also affected but it has not been named.
In a statement, the Office of the Prime Minister and Cabinet says that the contractor responsible for the breach was retained to provide expense management services. The government adds that the data was historical and partially anonymized and not classified or related to national security.
"It contained limited personally identifiable information of government employees such as work email addresses, and in some cases Australian Government Service numbers and corporate credit card details," it says. "The bulk of credit card information within the data set had already expired."
The Australian Cyber Security Center learned of the breach in early October. The contractor fixed the issue within hours of being notified, the government says.
"Having removed the vulnerability, the ACSC and affected government agencies have been working with the external contractor to put in place effective response and support arrangement and support affected staff," it says.
The Office of the Information Commissioner is also assisting in breach response, the government says.
Data pertaining to financial institutions Rabobank and AMP and the energy utility UGL was also affected by the data exposure. iTnews reported that 25,000 exposed records pertained to AMP, and that 17,000 UGL records and 1,500 "pieces of employee data" linked with Rabobank were also exposed.
An AMP spokesman says the exposed data related to internal staff expenses and did not include employee salary details. No customer records were compromised. "AMP treats data security very seriously and has strict policies in place regarding the handling of data with third-party vendors," he says.
Rabobank says a limited amount of employee data was exposed, but it didn't include salaries, credit card details or external client data.
A UGL spokeswoman declined to comment.
Lock Down Buckets
Amazon's Simple Storage Service is widely used by organizations due to its flexibility and low cost. While Amazon maintains security recommendations that all S3 users should follow, not all do. And any mistakes can lead to vast amounts of data being left downloadable by anyone with internet access.
The security researcher Wojciech, for example, was searching specifically for S3 "buckets" - the term for a storage instance - that were not protected by authentication controls, iTnews reports.
But it says that the Australian Signals Directorate, which is the country's signals intelligence agency, told Wojciech that the contractor tied to the exposed data has now begun using access control lists for its S3 buckets to prevent future data leaks.