First State Super in breach of Privacy Act
7 June 2012
Some seven months after a highly publicised incident involving a flaw in First State Super’s members online application, the Australian Privacy Commissioner Timothy Pilgrim released the findings from its investigations – which found First State Super (FSS) in breach of the Data Security Principle included in the Privacy Act.
The Privacy Commissioner’s investigation found that FSS did not disclose information to a third party. However, the Commissioner did find that FSS had not taken reasonable steps to protect the personal information held in the member section of its website from unauthorised access.
Private security consultant Patrick Webster first reported the application vulnerability in October 2011, becoming aware of it while viewing his own online information. After running a program which demonstrated that the flaw was serious – giving him access to the records of 568 other FSS members (largely NSW public servants) by entering a member number in the URL – Webster reported his findings to FSS. FSS took immediate action – which included notifying the NSW Police but which did not include notification of all 77,000 members or immediate notification to those affected by Webster’s exploitation of the flaw.
A third party - Pillar Administration - were responsible for maintaining the site which included ensuring security. They advised at the time that they were aware of the unauthorised access by Webster (through system alerts) but were not aware of the actual application flaw. Pillar later revealed that three other superannuation funds it administers were also affected.
In November 2011, it was reported that the federal government had followed up the problem with Pillar Administration who were set to take over the super fund for federal politicians, police, ASIO spies, department heads and other federal public servants. The federal government ordered an immediate independent IT review of Pillar's systems as a result of which "remedial security enhancements" were agreed to be implemented.
First State Super was criticised for failing to inform customers and Pillar faced allegations from a former IT staffer that it knew of the security flaw for years and did nothing. Some experts also questioned whether Pillar really did have alerts in place for when a member accessed another member’s statement - arguing that if Pillar was aware enough of the security flaw to design an alert around it, then it doesn't make sense that the flaw was not fixed.
Privacy Commissioner’s Report
In its investigation the Privacy Commissioner found that personal information that could be downloaded from FSS included member names and addresses, details of superannuation account transactions, balances and members' ages. It did not include date of birth or financial details.
According to the report, FSS had conducted its own penetration tests prior to the incident with its contracted auditing firm, Pillar Administration, performing over 200 security tests, but failing to reveal the flaw Webster would later point out. This was due to the tests' scope being restricted to a small area of FSS' activities, and thus completely missing the vulnerability.
The commissioner's report accepts that system alerting was in place - noting that Pillar's website monitoring system had detected an anomaly prior to Webster notifying FSS, and even if Webster had not informed the superannuation fund, it should have been able to close its vulnerabilities.
"In the Commissioner's view, FSS would therefore have had the capacity to remedy this flaw in its system, even if it had not been advised of the vulnerability by [Webster]. However, because testing was limited, the vulnerability was not discovered until it had already been exploited," the report read.
Due to FSS' inaction prior to the incident, the report concludes that FSS breached National Privacy Principle 4.1, which "requires organisations to take 'reasonable steps' to protect the personal information they hold, from misuse and loss, and from unauthorised access, modification or disclosure".
The Commissioner made no further adverse finding in relation to FSS, acknowledging “the speed with which FSS acted when they became aware of the incident, immediately containing the incident, notifying affected members and commencing an internal investigation.” These factors led the commissioner to cease its investigation on the basis that "the response to this incident appears adequate in the circumstances".
First State Super’s Response
FSS has accepted the finding of the failure to take reasonable security measures though it has been at pains to state that "at no time was there any opportunity for fraudulent transactions to occur."
As well reference has been made to the stringent security measures now in place, including “regular ongoing security testing and reporting by highly regarded, independent specialist IT security consultants."
This decision makes it clear again that a co-operative attitude works best – this investigation being closed without any serious adverse comments by the Commissioner. It is likely that the adverse media coverage, together with the reactions from other customers, had a bigger impact on First State Super then the Commissioner’s findings. This is a good outcome if the result is better security measures.
It is interesting that the Commissioner didn’t take opportunity to investigate Pillar further, given the widely reported use of similar applications in a number of other large Commonwealth government agencies, in respect of which the Commissioner already has the power to audit.
Given the proposed amendments to the Commissioner’s power, there might be different result in future – such as requirement for independent expert’s report to be made available to the PC.
A full investigation report can be accessed here: http://www.oaic.gov.au/publications/reports.html#omi_reports