In April this year Telstra finished its acquisition of Pacnet, giving it access to Asia’s largest privately owned submarine cable network as part of strategy to expand into Asia.
According to news reports it appears that Telstra received a surprise signing bonus when the purchase was completed – notification that the Pacnet corporate IT network had been breached.
The itnews article claims that this wasn’t discovered during due diligence as Telstra and the Pacnet were competitors at the time and it only had limited access to information.
Access to the Pacnet internal network was gained through a SQL injection attack. SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.
Attacks of this nature fall under strategy #24 Server Application Hardening ‘e.g. databases, web applications, customer relationship management, finance, human resources and other data storage systems.’ in the Australian Signals Directorate (ASD) Top 35 Mitigation Strategies.
Telstra is now left with the task of advising Pacnet customer about the breach.
Although there are no mandatory breach reporting in Australia although there is strong support for it. In October 2013, the Office of the Australian Information Commissioner (OAIC) released survey findings of community of attitudes towards privacy, which showed that 96 percent of respondents want government agencies and businesses to notify them if their personal information is lost or compromised.
Earlier this year the parliamentary joint committee on intelligence and security (PJCIS) recommended that the Government introduce a mandatory data breach notification scheme before the end of 2015. Australia’s privacy commissioner, Timothy Pilgrim, has highlighted telcos bad track record in Australia highlighting Telstra’s 2011 leak of 734,000 customer details and a further leak of the details of 15,775 customers in 2013.
emt Distribution represents Acunetix in Australia and New Zealand. Acunetix was founded to combat the alarming rise in web attacks including SQL Injection and Cross-Site Scripting among others.