Negligence by a third-party contractor exposed the personal information of approximately 50,000 Australian employees online.
A Polish security researcher who uses the moniker “Wojciech” discovered the information while searching for open Amazon S3 buckets. The details belong to 48,270 employees of Australian government agencies, banks, and a utility. Among them, insurer AMP was perhaps the hardest hit; the misconfiguration exposed 25,000 of its employees’ information including their names, passwords, phone numbers, and in some cases their credit card numbers. 17,000 staff members from utility UGL were also victims of the breach.
It appears the misconfiguration originated from a single third-party contractor. None of the affected companies have named that entity at this time. That has not prevented some from confirming the exposure, however.
In fact, a spokesperson for AMP did just that in a statement provided to iTnews:
“The mistake was quickly corrected once identified and the matter investigated to ensure all data had been removed. No customer data was compromised at any time. AMP treats data security very seriously and has strict policies in place regarding the handling of data with third party vendors. We are reviewing the situation to ensure standards are maintained.”
AMP, UGL, and others are currently working with the Australian Cyber Security Centre (ACSC) and the external contractor to implement “effective response and support arrangements.” The ACSC first learned of the breach in early October. Subsequently, it contacted the contractor and assisted them in fixing the misconfiguration.
This security incident appears to be the second largest data breach in Australia’s history after a partner of Red Cross Blood Service accidentally published a 1.74 GB trove of 550,000 Australian blood donors’ information online. The leaked details included their names, email addresses, phone numbers, physical addresses, and other data pertaining to their Red Cross donor histories.
Given the risks posed by an unsecured S3 bucket, it’s important that organizations take steps to secure all their data on the Amazon Web Services (AWS) platform. Here are a few tips to get them started.