Australian Government Contractor Data Breach
By Cameron Abbott, Allison Wallace and Olivia Coburn
The personal details of almost 50,000 Australians have been published online by a third party government contractor, who is yet to be identified. And I guess you would feel a little shy about owning up to this one!
The subjects of the breach are employees of government agencies, banks and the utility UGL.
The breach occurred due to a misconfigured Amazon S3 bucket, which is a type of internet cloud storage.
The misconfiguration was discovered by a Polish security researcher, who found full names, passwords, IDs, phone numbers, email addresses, credit card numbers and details on staff salaries and expenses.
The leak is one of the largest data breaches in Australia. Insurer AMP has been the most impacted, with 25,000 staff records leaked, while UGL had 17,000 records exposed. Other organisations affected include Rabobank with 1,500 leaked records, the Department of Finance with 3,000, the Australian Electoral Commission with 1470, and the National Disability Insurance Agency with 300.
The information included full names, emails, expenses and payment details, and was publicly available online until October, when the Australian Cyber Security Centre (ACSC) was alerted to the breach. The ACSC worked with the contractor to secure the information and remove the vulnerability.
This is not the first government contractor to experience a cybersecurity incident – earlier this month we blogged that an Australian defence contractor was hacked, exposing 30 gigabytes of data.