THE personal details of almost 50,000 Australian employees have been compromised in what appears to be the country’s largest data breach since the Red Cross leaks.
IT News reports up to 48,270 personal records from employees working in government agencies, banks and a utility have been exposed online by a third-party contractor — a misconfigured Amazon S3 bucket. Amazon S3 is a form of cloud storage where employees can store and retrieve data from websites and mobile apps.
The files exposed include full names, passwords, IDs, phone numbers, and email addresses as well as some credit card numbers and details on staff salaries and expenses.
Insurer AMP was the worst impacted, with 25,000 staff records leaked as a result of the misconfiguration.
Utility UGL was affected to the tune of 17,000 records while 1500 pieces of employee data were recovered from Rabobank.
IT News also reported several thousand government employee details were also leaked, including 3000 at the Department of Finance, 1470 at the Australian Electoral Commission, and 300 at the National Disability Insurance Agency.
The Department of Prime Minister and Cabinet — the parent agency for the Australian Cyber Security Centre — told IT News it had been alerted to the breach in early October.
“Once the Australian Cyber Security Centre (ACSC) became aware of the situation, they immediately contacted the external contractor and worked with them to secure the information and remove the vulnerability,” the spokesperson said.
“Now that the information has been secured, the ACSC and affected government agencies have been working with the external contractor to put in place effective response and support arrangements.”
In October last year, the medical information of more than half a million Australians have been compromised after being exposed by the Australian Red Cross Blood Service in Australia’s biggest data breach to date.
The service began contacting more than 550,000 Australian blood donors today whose information was published on an insecure website and accessed by unauthorised users.
The exposed database contained the names, contact details, birthdates, and medical details of Australian blood donors, including whether they had engaged in “at-risk sexual behaviour”.
The records did not contain all information donors share with the service, however.
The 1.74 gigabyte backup file was discovered by an anonymous source, who reported it to security expert Troy Hunt on Tuesday. It was removed the following day.
Mr Hunt said while the information came from the Red Cross, it was published by one of the Service’s partners in a way that was “egregiously bad”.
Online Source News.com.au.