Personal details of almost 50,000 Australian employees have been compromised in the country’s largest data breach since the Red Cross leaks.
Reports state that up to 48,270 personal records from employees working in government agencies, banks and a utility have been exposed online by a third-party contractor thanks to a misconfigured Amazon S3 bucket. The files exposed include full names, passwords, IDs, phone numbers, and email addresses as well as some credit card numbers and details on staff salaries and expense; however, iTnews reported that most of the credit card numbers were out of date or cancelled.
Insurance company AMP was hit the worst, with 25,000 staff records relating to internal expenses exposed, while Aussie utility UGL had 17,000 records exposed. About 3,000 employees at the Department of Finance, 1,470 at the Australian Electoral Commission and 300 at the National Disability Insurance Agency had their details openly accessible; and, 1,500 employees at Rabobank were affected.
“Once the Australian Cyber Security Centre became aware of the situation, they immediately contacted the external contractor and worked with them to secure the information and remove the vulnerability,” the Department of Prime Minister and Cabinet told iTnews. “Now that the information has been secured, the ACSC and affected government agencies have been working with the external contractor to put in place effective response and support arrangements.”
Cloud server misconfigurations are increasingly common, leading to data breach after data breach. One of the worst occurred in June when US defense contractor Booz Allen Hamilton left more than 60,000 US Department of Defense files publicly exposed in an Amazon S3 repository.
"Cloud computing is an increasingly popular way for centralizing storage and data access and often provides a cheaper more elastic and secure platform for enterprises to harness; however, their configuration can often be more than simple,” said Ian Ashworth, security consultant at Synopsys, via email. “Being internet-connected and widely accessible should dictate a greater level of diligence in their setup and tailoring to ensure they appropriately manage accessibility and control. Authentication and correct levels of authorization are two such essential measures for granting user access to the most sensitive of data or services. When especially dealing with PII and payment details, additional storage protection measures should be employed providing an overall layered security architecture."