Andrew Breese

Musings of a professional geek

Aus Gov Loses Online Privacy Alert Data in Snailmail

45,000 Facebook passwords stolen by Ramnit wor...

A package of user data which included usernames and passwords for the Stay Smart Online website was lost sometime after 11 April, due to a package being lost in the post.

Just a thought: News like this can hurt the folks involved, please be aware the screw-ups happen. I’d say after a health does of “what in hell” the people involved might learn a huge amount about how the simplest mistakes can bring down all the best intentions. AusCert is a not-for-profit group that (very likely) has the interests of the internet community at its heart.

However, a sane person could not make up this screw-up…

You see, the DBCDE was in the process of switching contractors that handled the alert system and needed the information transferred from the one to the other. Someone, somewhere, made the brilliant decision to burn usernames, email addresses, hashed passwords, and password reminders to a DVD for easy transport. Can’t trust the tubes of the web, after all, as there be hackers out yonder. The contractor, AusCERT (information security experts), then sent it via the Australia Post.

Pardon me while I pick up my jaw. Beyond the worry is not a small amount of irony, not so much because of Stay Smart’s tagline but because AusCert should know better.

Stay Smart Online — The Australian Government’s cybersecurity website provides information for Australian internet users on the simple steps they can take to protect their personal and financial information online.

AusCert — is the premier Computer Emergency Response Team (CERT) in Australia and a leading CERT in the Asia/Pacific region. AusCERT operates within a worldwide network of information security experts to provide computer incident prevention, response and mitigation strategies for members and assistance to affected parties in Australia.

I mean no disrespect when I say I hope the damn DVD was encrypted. The list of users were those who wished to be subscribed to the government’s privacy breach alert system. Ahem.

ZD Net reported: Despite the incident, DBCDE has stated that it believes the information has not been found or misused, and that there is no privacy risk, stating that it had only emailed users to remain consistent with best practice for privacy matters.

The mess-up aside, the Stay Smart website itself is actually darn good. The site’s blog is useful and contains content from a range of authors and appears to be written in earnest to help non-technical people better understand the implications of an online life.

Kudos to the govt and the creators for getting the site together. If not for this mess I would not have heart about it, and this mistake only further enhances my opinion that you need to be highly critical of who you trust, and very aware that even the government can have the odd mistake.

Reported and found via Geekosystem (and ZDNet via Slashdot).


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: