In yet another accidental data breach, sensitive and personal information of nearly 50,000 Australians was reportedly left freely exposed online. The breach, which is reportedly now considered to be the largest since last year's Red Cross breach, affected employees of the government and private firms.
The data left exposed reportedly included names, IDs, passwords, phone numbers, addresses, credit card information, staff salary details and more. The data was allegedly left exposed due to a misconfigured Amazon S3 bucket, presumably left unsecured by a third-party contractor.
According to IT News, the breach was discovered by a Polish security researcher going by the moniker Wojciech. The breach reportedly affected 3,000 employees at the Department of Finance, 1,470 staffers at the Australian Electoral Commission, and 300 employees at the National Disability Insurance Agency. Around 17,000 staffers records from Utility UGL and 1,500 employees' data from Sydney-headquartered Rabobank were also exposed.
However, financial services firm AMP was reportedly the one worst affected by the breach, with over 25,000 staffers' records freely exposed to the public as a result of the misconfigured S3 bucket.
AMP confirmed that a "limited amount of company data" detailing staff expenses had been unknowingly exposed by a third-party contractor. "The mistake was quickly corrected once identified and the matter investigated to ensure all data had been removed. No customer data was compromised at any time," a spokesperson of AMP told IT News. "AMP treats data security very seriously and has strict policies in place regarding the handling of data with third party vendors. We are reviewing the situation to ensure standards are maintained."
"Once the Australian Cyber Security Centre (ACSC) became aware of the situation, they immediately contacted the external contractor and worked with them to secure the information and remove the vulnerability," a spokesperson for the parent agency of ACSC, the department of prime minister and cabinet, told IT News. "Now that the information has been secured, the ACSC and affected government agencies have been working with the external contractor to put in place effective response and support arrangements."
Wojciech reportedly claims that he alerted the Australian defence department and AMP about the breach in October, but only received a response from the government agency. It still remains unclear as to how long the data was left publicly accessibly before Wojciech stumbled onto it. It also remains uncertain whether the exposed data was accessed by any malicious hackers before it was discovered and secured.