Government-owned credit cards compromised in contractor breach

Numbers and expiry dates of over 600 credit cards belonging to government and law enforcement employees have been stolen and exposed after an attack aimed at an Australian telecommunications company.

The breach happened at the beginning of March, and the information was stolen directly from the company servers. Livia Grabowski, the company’s managing director first got wind of it after one of its clients reported that the supposed attacker contacted them and told them that their information had been compromised.

The information made the company review and improve its security measures, but according to ZDNet Australia, it hadn’t quite managed to patch all holes since evidence that the attacker managed to get access to the company network again has been presented by the hacker himself to the online publication.

The hacker has submitted the list with the 629 compromised credit card numbers, expiry dates, names, addresses and the names of the organizations their owners work for – mostly federal government agencies – to ZDNet, along with a batch of emails to and from Grabowski, in which the breach and security measures are discussed. Grabowski has since confirmed that the intercepted emails are genuine.

Hopefully, the company has moved to review its security measures again – and this time more thoroughly. But Grabowski seems to have an inkling about who might be behind the hack.

Rojone has recently bid for a tender to supply vehicle-tracking software to the New South Wales Department of Corrective Services, and according to Grabowski, it is likely to get the deal. Since the contract is worth a lot, she believes the attack might have been orchestrated by a rival bidder in order to discredit Rojone.

If the investigation mounted by the police proves her speculation to be correct, this breach could be actually be classified as corporate espionage.

In the meantime, the person behind the attack says that the stolen database was actually located on the same server as the company site (i.e. publicly accessible). If that proves to be true, it means that the Rojone wasn’t adhering to credit card industry and privacy laws.

According to the hacker, the attack was executed by using URL substitution. He also claims that he has managed to get his hands over 14,000 more detailed records on Rojone’s retail customers, which were stored on another, but equally insecure, database.

More about

Don't miss