Govt loses credit card details in attack
More than 600 corporate credit cards owned by top Federal Government agencies from the Department of Defence to the Australian Federal Police have been exposed in a suspected espionage attack on a Sydney firm.
ZDNet Australia has obtained an document that contains 629 valid credit card numbers along with expiry dates, organisation and staff names, and addresses.
The list was stolen from the servers of Sydney-based telecommunications company Rojone early last month. According to Rojone's managing director Livia Grabowski, after the theft a person identifying themself as the attacker phoned one of the company's clients to inform them that their credit card details had been compromised.
The client then called Rojone and Grabowski ordered a review of security, which including penetration testing, and numerous changes were implemented.
The alleged attacker also contacted this publication with news that the database had been stolen from the Rojone site.
The person said they were able to manipulate a Rojone URL address to access the list and did not need to use hacking techniques or exploits to access the data.
Also submitted to ZDNet Australia were several "intercepted" emails between Grabowski and internal technical and sales staff which supported the attacker's claims. Grabowski also told ZDNet Australia that the emails were genuine. The emails showed the company tightened security measures following the breach. For example, it appeared that the entire database was wiped and potentially vulnerable systems were taken offline.
Rojone, worth some $20 million, had recently bid for a tender to supply vehicle-tracking software to the NSW Department of Corrective Services, a tender worth a few hundred thousand dollars, Grabowski said.
She said the company was well placed to be awarded the deal, since it already supplies software to the Western Australian Department of Corrective Services, and voiced the suspicion that a rival bidder had attacked the company to discredit it.
She suspects two contractors in particular, although evidence is still thin on the ground and forensic investigations have not been completed.
The person claiming to be the attacker told ZDNet Australia he has "over 14,000 records ... including credit card details ... addresses, phone numbers and email addresses," and added that there were "quite a few personal details listed for their retail customers, insecurely, on another database too".
The attacker said that the company had "no security, unless they thought that denying ping requests on their router was security".
If the data was obtained using URL substitution, the storage of the data on a publicly accessible server would be a contravention of rigorous credit card industry standards and privacy law.
ZDNet Australia contacted the Department of Defence for comment on the breach but Defence had not responded at the time of writing.
The Australian Federal Police and NSW Police have also been contacted for comment.
The AFP said it "can confirm it is aware of the matter" but "does not confirm or deny" whether it is currently investigating.
Federal Police are typically only involved in investigating cyber attacks on government agencies.
The Australian Intelligence Security Office (ASIO), the nation's chief espionage investigator, said it is not investigating the matter.