Data Breach Hits Australia's Department of Social Services Credit Card System

Paul Karp, reporting for The Guardian: The Department of Social Services has written to 8,500 current and former employees warning them their personal data held by a contractor has been breached. In letters sent in early November the department alerted the employees to "a data compromise relating to staff profiles within the department's credit card management system prior to 2016." Compromised data includes credit card information, employees' names, user names, work phone numbers, work emails, system passwords, Australian government services number, public service classification and organisation unit. The department failed to warn staff how long the data was exposed for but a DSS spokesman told Guardian Australia that the contractor, Business Information Services, had advised that the data was open from June 2016 until October 2017. The data related to the period 2004 to 2015.

Terrible contractor.

They stored "system passwords" in such a way that a data breach would reveal them?
For 16 months all information needed to impersonate various government officials was "open"?

I wonder if there will be actual negative consequences for them from this.

Re:Terrible contractor.

[_merlin]

None of the Australian government IT incompetence surprises me. I know a lot of the people who work on these systems, and they're the kind of people who wouldn't get hired anywhere else. Don't get me wrong, a lot of them are really nice guys/gals and I'd have a beer with them any day of the week, they're just terrible developers. A lot of them were pushed by their parents to study computer science on the tail end of the dotcom bubble. Well-meaning parents thought they'd be setting up their kids for a safe and potentially lucrative career, but the kids really weren't interested in it and in many cases had no aptitude for it. So you ended up with a large oversupply of mediocre developers, who found it hard to find employment in the industry.

The government, wanting to at least appear to drag themselves into the 21st century, started hiring developers to build new internal systems and public-facing web sites for the Department of Social Security (DSS), Australian Taxation Office (ATO), Medicare, etc. The pay they offered wasn't great, and it often required you to move to Canberra. So they definitely weren't attracting the best and brightest, but it did allow a lot of these mediocre developers to get jobs that were enough to make their parents proud of them. But since they aren't really paid very well, and there's no tangible benefit for performing above average (e.g. can't get a bonus for landing a big sale by implementing a new feature), they don't have much of an incentive to work hard or skill up. So they muck around playing indoor cricket in the corridors, and playing CS:GO on the days when they're working from home.

Interestingly, some Australian government departments seem to be a lot more competent with their IT, notably the Department of Foreign Affairs and Trade (DFAT) and the Australian Securities and Investment Commission (ASIC). These departments spend a lot more time dealing with the businesses that bring money into the country (Australia is still very much a primary producer/exporter), so there seems to be a bit more pressure to have things working.

Re:Terrible contractor.

[Pseudonym]

I worked in IT in the federal public service for about six months. It was one of the most soul-sucking experiences of my life. Hence, only six months.

Too many...

[bib1620]

Here are 2 other sites which have been breached. zoneedit.com 123-reg.co.uk Neither reported it and neither admit it.

Re:Trump? Gays?

[Hognoxious]

This here's Straaaaylia, mate. No bloomin gays here: it's rule number one.

Re:Wouldn't be as much of an issue with crypto

[Desler]

But crypto is used by terrorists. You’re not a terrorist are you?

Vendors (i.e. cloud computing)

[Matt.Battey]

Why is it that most of these data breaches seems to come fromthird parties that are contracted to serve their clients good, and then fall on their faces.

Is it because of that Willie Sutton "That's where the money is," or is it because these third parties have indemnified themselves legally, and really don't care?

Second question, would it even be a problem if the credit reporting agencies didn't make the Banks think your personal information was what really identified you, and your business value?

Re: Wouldn't be as much of an issue with crypto

[Matt.Battey]

And the Reds, don't forget about the Reds.

Re: Strewth!

[Desler]

Fosters. Australian for beer!

Re: Strewth!

[Ze+Wah]

Fosters. Australian for beer!

Not in Australia it isn't! No One Drinks Fosters Over here.
We export our crap beer so we don't have to drink it!

Re:Shame on Slashdot users

[Ze+Wah]

Just another troll. I would mod down but have already commented.
Typical, they are posting as an Anonymous Coward.

Personal data has been breached ..

[najajomo]

“The Department of Social Services has written to 8,500 current and former employees warning them their personal data held by a contractor has been breached."

In this day-and-age why wasn't such date held in an encrypted form?

Re:Trump? Gays?

[Pseudonym]

You're not Strayan, mate. This is the real one.

Re: Strewth!

[mjwx]

Fosters. Australian for beer!

No-one in Australia drinks that swill, it's strictly for non-Australian markets because nothing is too bad for the rest of the world.