Big data leak revealed
A contractor has mistakenly posted personal details of almost 50,000 Australians — including credit card numbers and salaries — online.
Tech news outlet ItNews was the first to report the breach, which it says was discovered by a Polish security researcher known as ‘Wojciech’.
Reports say the information belongs to employees of insurer AMP (25,000 staff records), utility UGL (17,000 records), Rabobank (1,500), the government’s Department of Finance (3,000 people), the Australian Electoral Commission (1,470), and the National Disability Insurance Agency (300).
The Department of Prime Minister and Cabinet says it was alerted to the breach in October, at which time it “contacted the external contractor and worked with them to secure the information and remove the vulnerability”.
“Now that the information has been secured, the ACSC [Australian Cyber Security Centre] and affected government agencies have been working with the external contractor to put in place effective response and support arrangements,” a spokesperson said.
“The data exposed was historical, archived and partially anonymised data.
“It contained limited personally identifiable information of government employees such as work email addresses, and in some cases Australian Government Service numbers and corporate credit card details.
“The departments involved have been notifying affected staff and working to give them appropriate support.”
AMP confirmed that a “limited amount of company data related to internal staff expenses was inadvertently stored in a publicly available cloud service”.
“The mistake was quickly corrected once identified and the matter was investigated to ensure all data had been removed,” its spokesperson said.
“No customer data was compromised at any time [and] we are reviewing the situation to ensure standards are maintained.”
Wojciech says the data was left openly accessible in a misconfigured Amazon S3 bucket.
The researcher said the fact that the files were in a single location and had similar table schema suggested a single contractor was behind the breach.