18 October 2013

AAPT, Anonymous and the OAIC

The Australian Privacy Commissioner has announced that AAPT Limited breached the Privacy Act 1988 (Cth) last year in failing to "adequately protect customer data from unauthorised access" and failed to comply with the obligation to destroy or permanently de-identify that was information no longer in use.

Anonymous hacked AAPT customer data on a server of Melbourne IT subsidiary WebCentral in July last year. Melbourne IT is a spin-off from Melbourne University and remains a dominant domain name registrar, withy operations in Australia and elsewhere. AAPT is a telecommunication service provider dealing with large corporations and SMEs. It originated as the connectivity arm of the Australian Associated Press (ie two of the major newspaper publishers) and is now a wholly-owned subsidiary of Telecom Corporation of New Zealand, the NZ equivalent of Telstra.

The server held websites and databases that included personal information about AAPT business customers, for example data used  by AAPT in billing, quoting, transferring numbers from other telecommunications carriers as part of the portability regime, obtaining credit reports and verifying customer identity.

Anonymous published that information online.

The Australian Communications & Media Authority (ACMA) undertook a separate investigation into the data breach in relation to AAPT compliance with the Telecommunications Consumer Protections Code C628:2007. In its April 2013 report ACMA found that AAPT contravened clause 6.8.1 of the Code in failing to protect the privacy of small business customers whose personal information was stored in a server that was the subject of unauthorised access.

The ACMA report - titled Investigation Report: Compliance with Clause 6.8.1 of the Telecommunications Consumer Protections Code C628:2007 by AAPT Limited is significantly more detailed than that by the OAIC. It indicates that
On 2 August 2012, the ACMA contacted AAPT to obtain information about this incident. On 7 September 2012, AAPT provided the ACMA with a copy of a confidential report titled Investigation into Data Security Incident, which occurred on or around 25 July 2012 (the Report). The Report was prepared by AAPT and provided the ACMA with an outline of the cause of the incident, an explanation of AAPT’s response to the incident and the steps taken by AAPT to prevent a repeat of any similar incident.
AAPT's report states that:
(a) On 25 July 2012, AAPT became aware of a security incident whereby a server (the server) supplied and managed by WebCentral Pty Limited, a subsidiary of Melbourne IT, and on which AAPT data was stored was the subject of an unauthorised hacking attack by a third party. It appears that the political activist group ‘Anonymous’ was responsible for the attack. A subset of the accessed files, containing personal information, were later released on the internet. It appears Anonymous attempted to scramble the disclosed personal data in order to anonymise it, but it is unclear whether Anonymous had been completely successful.
(b) The server was accessed by Anonymous in the period 17 – 19 July 2012. 8-10 GB of data was transferred from the server by Anonymous in the period 20 – 22 July 2012. Five of the 8-10 GB of data apparently consisted of two files (3.5 GB and 1.5 GB respectively). Based on AAPT’s analysis, it appears that the information released by Anonymous came from these two files.
(c) The first file (3.5 GB), when uncompressed, was 27GB in total and contained AAPT’s quoting database (named Fusion) which consists of 601 tables of data. The second file (1.5 GB) was found to be corrupt and could not be repaired and read.
(d) AAPT has been unable to determine what data was contained in the remaining 3-5 GB of transferred data, which means that the data may have come from any of the data (approx.100 GB in total) on the server. AAPT is therefore working on the basis that the entire server may have been compromised.
(e) An initial analysis of the data known to be copied by Anonymous revealed that some of the personal information contained in the 601 tables, included:
• 11 instances of credit card details; and
• 184 records of drivers licence numbers and dates of birth for AAPT customers who were sole traders.
(f) AAPT has since conducted a more thorough analysis of the data and has discovered that more personal information was contained in the 601 tables than it had originally thought. An analysis of the 5GB of data known to be copied and the remaining 95GB of data on the server that may have been copied indicates that the following personal information may have been accessed :
• Credit card details 13
• Name 264,691
• Drivers licence numbers 1,394 •
Medicare numbers 2
• Email address 109,566
• Address 2,854
(g) The following combinations of personal information were also identified:
• Name and email 108,376
• Name and Address 2,831
• Name and Mobile 64,035
• Name and Telephone 202,353
(h) AAPT has to date sent 1,393 notification letters to affected individuals (114 of which have been definitively identified as sole traders). The letters were sent to people who had the following information held in the server: • financially sensitive data; • either or both date of birth and licence government issued ID (e.g. drivers licence, passport) in any combination with name, address and contact details, and/or • password information (not system generated) in any combination with name, address and contact details....
(l) AAPT has liaised with various government agencies including the Australian Federal Police (AFP) to ensure potential harm is mitigated. AAPT is also taking steps to prevent a repeat of any similar incident.
In summarily - and belatedly - reporting on the OAIC investigation Commissioner Pilgrim comments that
While I appreciate the speed and the way in which AAPT responded to the incident, it highlights the importance of having appropriate security systems and contractual arrangements in place to avoid a breach such as this.
Organisations should ensure that contracts with IT suppliers are clear about which party has responsibility for identifying and addressing data security issues.
More should have been done to appropriately manage and protect the information involved. Using older versions of applications and software when newer versions are available is a risk that needs to be actively managed, particularly when personal information is involved.
It was also concerning that the compromised servers contained old customer information that was no longer needed by AAPT
Holding onto old personal information that is no longer needed does not comply with the Privacy Act and organisations which do so are needlessly placing themselves in a position of risk.
No risk, of course, of a meaningful OAIC penalty, pending the proposed data breach statute and implementation of the revised Privacy Act 1988 (Cth) in March next year. We'll need to see whether the OAIC is prepared to use its powers once the amendments are in place.

OAIC recommendations to AAPT appear to follow those from ACMA and include
  •  implementing regular training for staff in relation to data retention and destruction, 
  • ensuring all IT applications are subject to vulnerability assessment and testing, 
  • ensuring effective lifecycle management, 
  • conducting regular audits of AAPT’s IT security framework.
All in all, the report deserves the sound of one hand clapping ... better than nothing but not cause for celebration on the basis that the OAIC has conducted an own motion investigation.