Card Systems is frequently cited as an example of how costly a breach can be to a business, but in Australia, Bottle Domains may become a similar example. Following a breach that resulted in the theft of personal information on approximately 60,000 people that was put up for sale on the internet, the company has lost its status as a domain registrar. Ry Crozier of iTnews reports:
The Australian domain name administrator has ruled out a review of its registrar agreements in the wake of its decision to terminate Bottle Domains accreditation today over a security breach.
auDA took the action after it emerged Bottle may have hidden the hacking of its database for almost two years.
[…]
Bottle, which counts some 11,000 registrants as customers, is the subject of an ongoing investigation by the Australian Federal Police after it was revealed in February that usernames and passwords had been compromised in a ‘security breach’.
It has now emerged, however, that the February ‘breach’ may not have been the first.
In a statement today, auDA said it “has since discovered that Bottle Domains was the subject of an earlier security incident in April 2007, which auDA believes may have caused or contributed to the security incident in February 2009.”
In related coverage, Mark Hawthorne of The Sydney Morning Herald reports:
“Information recently provided to auDA by Bottle Domains about the April 2007 incident revealed that it did not reset customer passwords or alert its customers to the possibility that their account information had been accessed by third parties,” auDA said.
“Bottle Domains also failed to conduct an independent security audit to verify that the security vulnerability had been fixed, and that there was no other unauthorised access to its systems.”