The saga begins in 2008 when AusCERT, a non-profit organization that operates the country’s national computer emergency response team (CERT), received AUD$1.2 million to run Australia’s e-security alert service for home computer users and small and medium-sized businesses, part of the government’s Stay Smart Online initiative.
However, AusCERT was anything but smart when it mailed a DVD with personal information on 8,000 subscribers to the Department of Broadband Communications and Digital Economy (DBCDE), the agency that awarded the contract. The package, which was sent by post in April of this year, never arrived at DBCDE, the Stay Smart Online team said in a July 6 email to subscribers. The DVD contained subscribers’ usernames, email addresses, memorable phrases, and encrypted passwords.
The DBCDE said that it had “no reason to believe that this information has been found and misused by any third party and we do not believe that there is a privacy risk”, a common refrain of agencies, organizations, and companies that are caught red-faced by a security breach
Australian security blogger Geordie Guy quipped about the breach: “You couldn’t make this up. I actually had to check it was July the 6th and not April the 1st.”
Guy added: “This isn’t likely to be the last data leak this year, it’s unlikely to be the biggest, but it’s above and beyond the most embarrassing for a government department with a long history of poor practice (despite its preaching), and I think I speak for a lot of the online rights community when I say it’ll be a long time before we get another this funny.”