Aussie insurer in hot water after hassling hacker

An Aussie pension outfit, which tried to hassle a hacker who wanted to help them fix a security hole, is now in deep trouble in a cyber billabong.

First State Super called the cops and unleashed the legal hounds on private security consultant Patrick Webster after he informed them of a bug that opened up access to the company’s database of sensitive customer details. Writs were issued as the outfit tried to get Webster to wipe his hard-drive and forget he had ever seen a gaping security hole in its operations.

Of course, Webster’s story was taken up by the press and the antics of First State Super are starting to look more than just a PR own goal.

The Federal Privacy Commissioner, Timothy Pilgrim, told the Sydney Morning Herald  today he was opening an “own motion investigation” into First State Super. An own motion investigation appears to be what happens when you look at a company’s poo.

Webster showed the outfit a serious security hole and punters only found out about it when the press reported that First State gave Webster a good kicking. First State was reported as treating him very badly but also for failing to detect such a glaring and easily exploited security flaw. All Webster had to do was change a number in a URL bar which is hardly a hack.

But it is possible that hundreds of thousands of accounts may have been exposed. First State Super only warned some of its customers, which Acting NSW Privacy Commissioner John McAteer says not warning the entire database was not acceptable.

First State appears to only have informed the 500-odd customers whose accounts were accessed by Webster when he demonstrated the flaw and not all those who were potentially exposed by the flaw.

First State Super CEO Michael Dwyer insisted that there was no evidence that anyone other than Webster had gained unauthorised access to customer accounts. But other computer security consultants who are paid by companies to test their networks, “highly doubted” First State kept logs or had the ability to check.

It looks like First State Super’s 770,000 customers may not have been at risk if only it had heeded a warning from McAteer after a similar hack earlier this year.