Lessons from the trenches: Australian firms make it easy for hackers

As an Australian vocational school left victims unaware of a data breach for a year, EY warns another company that inadequate security is an accident waiting to happen

Credential theft  > A thief steals a password.

Sometimes, hackers will literally just walk through your door. That appears to be the case at Melbourne Polytechnic, and security lapses at Alinta Energy could allow the same to have happened there.

Authorities were quick to blame the “reckless” Hong Kong owners of Australian energy giant Alinta Energy after privacy concerns of its 1.1 million customers, but a subsequently disclosed breach — of over 50,000 staff and students at one of Melbourne’s largest vocational schools — is a reminder that even domestic security is being regularly compromised.

Inside the Melbourne Polytechnic breach

Technical and further education provider Melbourne Polytechnic disclosed that it had been hit by a “highly complex” data breach sometime between September and December 2018, with Victoria Police notifying the university of the breach in October 2019 after an extensive investigation.

The training institute — which, ironically, counts cybersecurity courses amongst its catalogue — wrote to around 55,000 staff, students, and suppliers to warn them that cybercriminals may have compromised information including their Melbourne Polytechnic email username and password, driver’s license, passport details, banking details, tax file number, and superannuation details.

Health information was also said to have been compromised, with the university advising that “it is unlikely that this information will be able to be used to undertake further criminal activity” but offering counselling for concerned members of the community.

Security consultants rate healthcare information as being extremely valuable online, further corroborating efforts to build exploitable victim profiles for identity theft.

Yet with more than 50,000 staff and student emails potentially compromised, resale of healthcare data is only one of several potential consequences from the breach.

Such information provides fresh fodder for credential-stuffing attacks — in which Melbourne Polytechnic access details could be used both to try accessing victims’ accounts on other cloud-based services, and to access institutional email accounts that could be used to reset passwords on related services.

Alint Energy skimps on controls to protect privacy

The Melbourne Polytechnic breach highlights the continuing exposure many companies have to compromise — and comes on the heels of revelations that major energy supplier Alinta Energy has not been implementing suitable controls to protect the privacy of its customers.

The company — which collects and stores personal details including contact details, birth dates, Medicare and passport numbers, credit card details and health information — failed many key elements of a June 2019 privacy compliance audit by EY, according to an investigation by the Sydney Morning Herald, Melbourne Age, and ABC’s 7.30.

Despite the requirements that Australia’s Privacy Act places on companies to protect personally identifiable information (PII), EY warned that the energy giant lacked appropriate internal oversight and “doesn’t meet the requirements of privacy laws”.

The company, a leaked EY report warned, takes an “ad hoc approach to retention and deletion of [PII], the transfer of sensitive information resulting in business areas developing their own approach to managing privacy which, at times, doesn’t consider all PI or doesn’t met the requirements of privacy laws.”

Most of the company’s business areas “were not aware of” policies governing data retention, disposal and de-identification, EY concluded.

Many intrusions take easy advantage of poor security, with long-term consequences

The unveiling of Alinta Energy’s inadequate privacy practices highlights the extent to which many organisations continue to offer themselves to hackers on a silver platter — a shortcoming that was also noted in the Melbourne Polytechnic case.

Far from the common image of malicious hackers surreptitiously breaking into target networks under cover of night, forensic analysis of the breach suggested that the perpetrator simply walked onto the Melbourne Polytechnic and began using one of its networked computers.

The extended timeframe of the breach — some 18 months passed between the beginning of the period of potential compromise and disclosure of the breach, and notification of affected individuals this month — means those individuals’ data has likely been diffused far and wide online, most likely for sale.

IT administration staff reset the passwords of affected users after being notified of the breach — but the gap between the hack and its disclosure to Melbourne Polytechnic meant that affected accounts were left exposed throughout most of 2019.

The institute “does not know” whether the data taken in the breach has been used for malicious purposes, but has directed victims to national identity theft and cyber support service IDCare to learn how to manage the potential impacts of the breach.

Police have charged an individual over Melbourne Polytechnic breach, with the case expected to go to trial later this year.

Copyright © 2020 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.