BIS, a third-party provider exposed the sensitive information for over a year.
Thousands of current and previous employees of the Department of Social Services in Australia have been notified that the personal and financial data has been breached and exposed for over a year. 8,500 employees received the emails earlier this month.
In the mail those affected were notified that data compromise related to staff profiles within the department’s credit card management system prior to 2016. According to local media, the compromised data included employees’ names, usernames, work phone numbers, work emails, system passwords, Australian government services number, credit card information, public service classification, and organization unit.
The leaked data was managed by a third-party contractor called Business Information Services (BIS). Data was left exposed from June 2016 until October 2017 a DSS spokesperson told local media. It is believed that the compromised data was dated between 2004 and 2015.
According to the spokesperson, the Australia Signals Directorate notified the DSS about the data leak at the beginning of October. He added that the Australian Cyber Security Centre immediately made contact with the external contractor to secure the information. Steps were also taken to remove the vulnerability within hours of notification.
Chief financial officer for the DS, Scott Diley, Reportedly told affected employees in the letter that the actions of the department’s third-party provider were to blame for the breach. He apparently also stated that the intrusion was not a result of any of the department’s internal systems.
Diley added that the data has since been secured following the notification of the breach. In the letter, he reportedly states that there is no evidence to suggest that the data or the department’s credit cards were improperly used. As a further preventative measure, the DSS advised employees to change their passwords and those of any other websites or applications if they use the same credentials across multiple platforms.
BIS has stated that the breach occurred as a result of a control vulnerability. According to a spokesperson for the group, compromised data included partially anonymous work-related expenses such as cost centers and corporate credit cards without CCV and expiry dates. The company has stated that the vulnerability was secured within four hours and the data was no longer publicly accessible.
It is believed that the company is now conducting a security review into the exposure. BIS has also reportedly categorized the vulnerability as low-risk. Minister of Social Services Christian Porter has also ordered an investigation into the data leak. The Australian Green have reacted with anger over the breach. Greens Senator Rachel Siewert told local media that the data leak demonstrated the risks of outsourcing work.