The Department of Social Services (DSS) in Australia suffered a major data breach incident earlier this year after personal details of 8,500 current and former employees were left exposed by a third-party contractor.
The breach of sensitive data belonging to DSS personnel was first observed and red-flagged by the Australian Cyber Security Centre in October.
Business Information Services is an Australian third party contractor that stores sensitive data belonging to DSS employees. In a letter to as many as 8,500 current and former employees in October, Scott Dilley, the chief financial officer at DSS, said that their sensitive personal and financial data were breached because of the actions of the third-party provider who stored such data in a server visible to the public.
The breached data included names, usernames, passwords, addresses, credit card information, e-mail addresses, Australian government services numbers, public service classifications and organisation units of 2,000 current and 6,500 former employees at the Department of Social Services.
According to the Guardian, the DSS was informed of the breach by the Australian Signals Directorate on 3rd October, following which the Australian Cyber Security Centre directed Business Information Services to secure the data and plug security vulnerabilities.
Compromised data belonging to DSS personnel was open from June 2016 until October 2017 when it was noticed by the Australian Signals Directorate. However, Dilley said that there was no evidence on credit card numbers being stolen or used by any third party.
Now that the breach has been revealed by the Department of Social Services and covered in an exclusive report by the Guardian, the Greens are up in arms, demanding a detailed investigation into the incident and answers from the government on why the breach took place.
‘The minister must now outline what is being done to investigate this breach, explain to staff exactly how their data was exposed, for how long and whether it is now safe, and confirm whether his department complies with the mandated cybersecurity standards.
‘It’s the government’s responsibility to ensure the cyber-resilience of government agencies and this responsibility extends to the contractors that government agencies employ,’ said Jenny Macklin, social services spokeswoman for the opposition.
Business Information Services offers its services to several government departments and as such, any security vulnerability may also impact data belonging to millions of citizens. David Vaile, chairman of the Australian Privacy Foundation, told The Guardian that DSS has not acknowledged that outsourcing functions to an external provider “represents an increased risk, and in this case it has come home to roost”.
He added that the concept of “you can deny you’re part of the problem, you think you’ve contracted out of responsibility” is harmful “from a governance perspective”.
According to security firm UpGuard, if an enterprise with highly resilient and secure IT toolchain outsources the handling of sensitive or valuable data to a third-party vendor lacking such well-designed processes and systems, then the hiring enterprise should pay the price for any resulting exposure.
The firm also said that enterprises and their vendors must share equal responsibility to ensure the security of sensitive data against exposure to the wider internet. Such responsibility will ensure that third party vendors will no longer be the weakest point in an organisation’s cyber defence system.
Writing for TurboFuture, Virginia Matteo says that while choosing a third party vendor, an enterprise must consider the agency’s experience and ability to secure data, existence of any complaints or litigations against the agency, its systems and data security plans, insurance coverage, security of its websites, scope of internal control and its knowledge of consumer protection and civil rights laws.
‘Despite the inconveniences of proper vetting, it is crucial for your company’s security; you don’t want to end up contracting fraudulent or even non-existent third parties. Aim to balance out the costs and security considerations,’ she adds.