First State Superannuation has abandoned legal charges against security consultant Patrick Webster for releasing a security hole without their authority.
The company had work help fixed Webster’s computer problem regarding a legal document which demanded he give the company’s IT staff access to his computer.
First State worried Webster had kept a store of customer data obtained following the demonstration of a direct object reference susceptibility in the fund’s website, through which he retrieved 578 accounts using a script.
Webster, a former security professional in the NSW Police turned consultant, reached public to Risky Business and SC last week.
According to the statement released by First State, there was media coverage concerning the authorized access of their members’ online benefit statements. The members whose statements got hacked already got informed.
Although Webster immediately contacted them and revealed his actions, claiming that his purpose was to emphasize a security flaw, not to commit fraud, his actions can still be considered as a security breach of privacy legislation and First State Super got compelled in reporting the matter in agreement with the recommendations of the Privacy Commissioner.
First State reported the problem to the NSW Police in ensuring that any unauthorized copies of the member statements involved got damaged.
First Sate claimed that they have no doubt that their members were going to expect such certainty from them.
The NSW Privacy Commissioner was exploring the security fault. It seemed doubtful that an undertaking would be compulsory for First State Super since it patched the susceptibility immediately and knowledgeable customers.
First State said it values Webster’s disclosure and does not want to take any legal action against him anymore.
However, the said company was not the first and last company that tried to pressure Webster.
For the period of the latest security tests with his consultancy OSI Security, Webster found holes in a competitor information security firm’s content management system (CMS).
Webster found out about a bypass of the CMS web log unto. He informed the company right away at about 11pm since administrative pages could be searched by search bots.
Webster concluded that their computer crash the second day. He believes that it has something to do with it. The company then called the police.
This time the situation got immediately resolved, and the susceptibility got fixed.
Security testers are going to continue in facing threats for disclosing vulnerabilities to unsuspecting businesses.
Penetration testers Chris Gatford and Drazen Drazic said security professionals are naturally interested and need to balance the desire in helping fix bugs with the risk of a lawsuit.