This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

AAPT

Summary

AAPT, an Australian telecommunications provider, had customer data stolen by the Anonymous hacktivist collective between 17 and 19 July 2012. The attackers accessed a database containing 264,691 customer names, 1,394 driver licence numbers and 13 sets of credit card details through vulnerabilities in outdated software on a server managed by Melbourne IT.

What Happened

Anonymous accessed AAPT's data through the "Cold Fusion" application installed on a server hosted by WebCentral Pty Ltd, a webhosting business unit of Melbourne IT. AAPT was using an old version of Cold Fusion which was known to have security vulnerabilities. The attackers stole 601 database tables from a backup containing personal information used to verify customer identity and provide quoting and billing services to AAPT sales staff.

Melbourne IT notified AAPT of the incident on 25 July 2012. On the same day, AAPT disconnected from the Melbourne IT network and took immediate steps to ensure data could not be further compromised. The compromised server held websites and databases including information collected for obtaining credit reports and transferring telephone numbers from other telecommunications carriers.

Anonymous threatened to release the stolen data as part of a protest against Australia's proposed data retention regime, which would mandate ISPs to collect and hold transmission data from users for up to two years.

Impact on Individuals

The breach exposed sensitive personal and financial information:

  • Identity theft risk: 1,394 driver licence numbers combined with names and addresses could be used to assume victims' identities
  • Credit card fraud: 13 sets of credit card details were directly accessible to the attackers
  • Privacy concerns: Phone numbers, addresses and email details were exposed for over 260,000 customers
  • Targeted scams: The combination of telecommunications service details and personal information enabled sophisticated phishing attempts

AAPT sent 1,393 notification letters specifically to customers whose sensitive information (driver licences and credit cards) had been compromised.

Organisational Response

Following an own motion investigation, Australian Privacy Commissioner Timothy Pilgrim found on 15 October 2012 that AAPT had breached the Privacy Act in respect of the incident. The Australian Communications and Media Authority (ACMA) issued a formal warning, stating it was "appropriate in the circumstances". AAPT liaised with the Australian Federal Police to mitigate potential harm to affected customers.

The investigation highlighted AAPT's responsibility for maintaining current software versions. The company was using Cold Fusion as a "customer-managed application" under contract with Melbourne IT, making AAPT responsible for ensuring it was properly secured and updated.

Verification Source: View original statement