The Australian Internet service provider (ISP) Westnet was breached in June after a Twitter user (@Cyber_War_News) stumbled upon a message board brimming with sensitive data. A hacker was selling over 30,000 Westnet customers’ information, such as passwords, and had them up for grabs in plain text. Westnet is one of the country’s biggest ISPs, a subsidiary if iiNet. According to Matthew Toohey, CIO, “We’ve been made aware of a possible security breach on a Westnet system, and are currently investigating. Our customers’ privacy and security is our highest priority, and we will advise customers if any action is required… iiNet is aware of an incident that may have resulted in unauthorized access to old customer information stored on a legacy Westnet system.”
There’s an emphasis on the “old” information as Toohey understandably tries to calm customers who have no idea if their information has actually been used for identity theft. Unfortunately, most people aren’t very careful or vigilant when it comes to their password information. It’s not uncommon to use the same password and/or username for something like a Westnet password as well as banking information. It can take weeks, months or even years for a cybercriminal to actually put information to use, which can cause a delayed onset of problems for those whose information was stolen.
Westnet was acquired by iiNet in 2008 for an impressive AU$81 million. In the past seven years, there has still been a large amount of legacy systems left online. Westnet has kept pace with state of the art equipment, and comes with generous funding, but that still isn’t enough to keep out cybercriminals. Australia isn’t alone. In June 2015 alone, there were major hacks within the US and Japanese governments, not to mention the nearly constantly stream of smaller hacks that don’t make major headlines. Of course, the US and Japanese governments boast incredible cybersecurity, yet that still wasn’t strong enough. According to NASA’s former head of security, every single big corporation in the US has been hacked at some point. The degree of damage, though, can vary drastically.
Thus far, iiNet has sent an email to thousands of customers stating that “Although this unauthorized access has now been blocked and reported to relevant law enforcement agencies, an investigation has confirmed there was a period in which details associated with your Westnet account were accessible by a third party.” Customers are encouraged to change passwords, but are reassured that any other data—such as phone numbers and physical addresses—there was no stored financial data that hackers could have accessed. Still, the breached system is offline and iiNet is carefully monitoring accounts.
In the US, it’s legally required for businesses to announce data breaches in almost every state. However, there are no such laws in Australia. Companies can choose to disclose this information as they see fit, and aren’t required to disclose a certain amount of data. Westnet is talking selectively to the media, and of course is hoping that the publicity will soon blow over.
Any customer, of any business, can often tighten security on their end by regularly changing passwords and not storing financial data when given the option.