Personal Records of 50,000 Australian Employees Exposed in Data Breach

Personal details of almost 50,000 Australian employees have been compromised in the country’s largest data breach since the Red Cross leaks. Reports state that up to 48,270 personal records from employees working in government agencies, banks and a utility have been exposed online by a third-party contractor — a misconfigured Amazon S3 bucket.

Amazon S3 is a form of cloud storage where employees can store and retrieve data from websites and mobile apps.The files exposed include full names, passwords, IDs, phone numbers, and email addresses as well as some credit card numbers and details on staff salaries and expenses.

Ian Ashworth, security consultant at Synopsys, said: "Cloud computing is an increasingly popular way for centralizing storage and data access and often provides a cheaper more elastic and secure platform for enterprises to harness, however their configuration can often be more than simple.

"Being Internet-connected and widely accessible should dictate a greater level of diligence in their setup and tailoring to ensure they appropriately manage accessibility and control. Authentication and correct levels of authorization are two such essential measures for granting user access to the most sensitive of data or services. When especially dealing with PII and  payment details, additional storage protection measures should be employed providing an overall layered security architecture."

Lisa Baergen, director at NuData Security, said: “Breaches such as this, with sensitive and highly valuable personal data involved, act as a pipeline for further cyber crime. Those involved should be extra vigilant in keeping an eye out for spearphishing and other targeted cyber crime attempts. Data in the wrong hands can have a huge impact. Email addresses and password information, combined with other data on the consumer from other breaches and social media, builds a more complete profile.

"In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Using these real identities, and sometimes fake identities with valid credentials, they’ll take over accounts, apply for loans and much more. Every hack has a snowball effect that far outlasts the initial breach.

"All personal information is valuable to fraudsters. Names, physical and email addresses, passwords, the content of emails – everything that can be used to compile an identity will be used. We must change the current equation of "breach = fraud" by changing how we think about online identity verification. We need to protect all consumer data, but more importantly, we need to make it valueless. Combining two-factor authentication with a passive behavioural biometric solution would render these kind of breaches a thing of the past.”