Some updates to the First State Superannuation breach reported previously:
1. First State will not be taking legal action against Patrick Webster, the customer and IT security expert who alerted them to the breach.
2. The Australian Privacy Commissioner will investigate the breach.
3. On October 19, First State issued a statement linked from their home page. This revised/updated statement makes no reference to demanding that Webster turn over his computer or that he might have to pay for the cleanup of the breach.
Suppose First State had not responded as inappropriately as they originally did. Would the media have given such coverage to the security problem with the site, or would this have just been one of the many situations where companies become aware of a problem and fix it without it attracting a lot of public scrutiny or bad press? I tend to think First State never would have gotten so much bad press were it not for their threatening the researcher and making outrageous demands such as holding him financially liable for them cleaning up their own mess.
So I’m filing this one under “How NOT to handle a reported problem” and remind entities that it is probably best to thank whoever notifies you of a security problem rather than threaten them. Shooting the messenger generally doesn’t work out well for companies.
Update: It seems that First State – and especially Pillar’s – bad press is not over yet. It also appears that this security risk was present for almost two years.