While you might have heard a lot of noise about a large and terrifying Australian data breach in the past week, here at BreachAlarm we’ve been determined to get to the bottom of the hype.
Behold: Here’s what we know about the Aussie Travel Cover breach.
They’ve known about their own breach since 18th December, but Aussie Travel Cover has been keeping it all under wraps.
The company, an agent of insurance giant Allianz, was struck by an SQL attack over December’s holiday season.
The SQL vulnerability was since patched by Aussie Travel Cover when they took their website down for over a month, however it seemed the damage had already been done.
The hacker posted the structure of the company’s database on text sharing site, Pastebin, as well as linking to a RAR archive of two tables: ‘Policies’, with around 770,000 rows, and ‘Consultants’, with 133 rows.
The first of these is the leak that’s being quoted across multiple news sites.
####A little misinformation can go a long way.
The ABC happened to mention in their report that yet another table (called ‘Banking’), containing over 100,000 records was also captured by the hacker.
However, this appears to have been simply to give an idea of the nature of the information in the breach, rather than what is actually contained within the public part of the leak.
Unfortunately, this number has been repeated without its original context across many news sites, leading to a certain amount of misinformation on the subject.
Either way, the information that’s actually within the leak does not appear to be overly sensitive: it contains no account numbers, credit card details, and instead stores only agent commissions and cheque numbers.
In fact, on our inspection of the databases, we found them to contain very incomplete data. For example, the smaller ‘Consultants’ table only contained alphabetical rows from ‘AA’ to ‘AC’.
Further, the larger ‘Policies’ table contains no valid information beyond a field called ‘CoverType’, meaning that it contains no phone numbers, names or email addresses. However, street addresses and partial credit card numbers are involved (e.g: “455701xxxxxxx834”), which could possibly be used for Social Engineering.
####So, what’s actually inside?
As far as data leaks go, though, the ‘Policies’ table is rather unremarkable. We found the data within to be full of duplicates, with one row even being repeated over 85, 000 times. The hacker has subsequently stated to the press that much of the data is corrupted.
The social implications of this leak are, however, a little more interesting.
####Left in the dark … by design.
Third party agents were swiftly notified of the breach on December 23rd, however regarding its regular customers, Aussie Travel mentioned in its email communications that “at this stage, there is no reason to advise policy holders.”
Aussie Travel Cover has found itself in a lot of hot water over their response to the leak, with customers both angered and scared over the implications.
However, under current legislation, companies are not required to disclose breaches to their customer base. This has sparked some interesting public discussion as to whether these laws should be re-examined.
The Australian Law Reform Commission, according to the Data Breach Notification Guide, previously recommended that:
“…the Privacy Act be amended to impose a mandatory obligation to notify the Privacy Commissioner and affected individuals in the event of a data breach that could give rise to a real risk of serious harm to affected individuals.”
The teenage hacker, believed to be living in Queensland, Australia, has so far faced no legal consequences. Just don’t expect to hear too much from him for the rest of the month: he’s apparently maxed out his family’s broadband plan.