Symantec downplays Oz data breach3 min read

17/Jun/2019

American cybersecurity giant Symantec has downplayed a data breach that allowed a hacker to access passwords and a purported list of its clients, including large Australian companies and government agencies.

The February incident and the list which was extracted – which has been seen by Guardian Australia – suggests that all major federal government departments were among the targets of a hacker who also claimed to be responsible for Medicare data being available for sale on the dark web.

But Symantec said the “minor incident” involved “an isolated, self-enclosed demo lab in Australia – not connected to Symantec’s corporate network – used to [demonstrate] various Symantec security solutions and how they work together”.

The incident was not reported because Symantec concluded that “no sensitive personal data was hosted in or extracted from this demo lab, nor were Symantec’s corporate network, email accounts, products or solutions compromised”.

The list

The hacker extracted a list of purported clients of Symantec’s CloudSOC services, account managers and account numbers – but Symantec insists data contained in the system were “dummy e-mails and a small number of low-level and non-sensitive files for demonstration purposes” in a demo lab “not used for production purposes”.

The list of purported clients includes the Australian federal police, the country’s big four banks, insurers, universities, retailers and departments in the New South Wales and federal public service.

“This is an old list of some of the largest public and private entities in Australia – it was in the environment for testing purposes,” a Symantec spokeswoman said. “These entities are not necessarily Symantec customers, nor do we necessarily host services for them.”

Several federal departments, including infrastructure, industry, human services and finance, confirmed that they do not use Symantec’s CloudSOC services and do not store information with Symantec. But Guardian Australia understands that others queried the “minor” breach with Symantec because they are customers.

The Department of Social Services said it “uses Symantec products including CloudSOC, in line with Australian Cyber Security Centre best practice”, adding: “the product in question is not used by the department to store customer, or sensitive information.”

The departments of agriculture, education, employment, communication and arts said they used other Symantec products, but not cloud services, and did not store information with Symantec.

Australia’s Privacy Act

The Australian Privacy Act creates a scheme for compulsory notification when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach.

The Symantec spokeswoman said it treated “any cybersecurity incident – regardless of its scope or severity – with the utmost priority and take great caution in complying with the laws of the countries in which we do business around the world”.

“Consistent with our internal policies and guidance, which align with national and international data protection laws, no sensitive personal data or information has been disclosed that would trigger any regulatory obligations, but Symantec will continue to take appropriate remediation efforts if the situation changes.”

The full Guardian Australia report is now available via the link.

United Kingdom

contact@cynation.com

+44 020 3190 5000

PopHub Leicester Square
41 Whitcomb Street
London WC2H 7DT

The Netherlands

contact@cynation.com

Oude Udenseweg 29
5405 PD Uden
The Netherlands

Newsletter Signup

%d bloggers like this: