topic Re: Australia Post/Click and Send Online Security Breach in Selling

Australia Post/Click and Send Online Security Breach

boomct — Thu, 18 Oct 2012 22:44:00 GMT

http://www.heraldsun.com.au/news/national/australia-post-in-online-privacy-breach/story-fndo45r1-1226498834454

Arrghh. This is absolutely no surprise to me but makes me boiling mad. When Click and Send first started I took them to task over the fact that they sent all my info (passwords and all) back to me unencrypted. 6 months later they were still doing it. And now this. As well as the consistent difficulties I have using their site.

Anyone else have this experience or am I just being unfairly grumpy?

Boo.

Re: Australia Post/Click and Send Online Security Breach

***super_nova*** — Thu, 18 Oct 2012 23:16:32 GMT

I have been using C&S from the time it was introduced and have not had any major problems; safe for the site disputing correct postcodes.

I find the claim that "Customers who typed a random number into the online parcel tracking system were provided with the details of thousands of customers" bit strange. When you type tracking number into the search you do not get anybody's name and address; you just get where/when that particular parcel was lodged, other points of scan and then just the suburb where it was delivered. I can imagine that if you have a tracking number and alter the last couple of digits you would be getting valid tracking numbers and the info would be available to you, but would be pretty much useless. Some AP staff may have an access to more info, and if anybody was able to log in with the staff code they may be able to get such an info.

Re: Australia Post/Click and Send Online Security Breach

b3llag1na — Thu, 18 Oct 2012 23:21:00 GMT

Hmmm.. I am under the distinct impression that this is old news re-hashed...

I am pretty sure that they closed the site over the weekend a week or two back and "fixed" it then??

Re: Australia Post/Click and Send Online Security Breach

calsof — Fri, 19 Oct 2012 00:09:39 GMT

No, I couldn't get tracking info yesterday and the day before for probably just under a day.

Seems sus but now a bit worried. Tracking system isn't too crash hot as it is... now we have to worry about security breaches? 😞

Re: Australia Post/Click and Send Online Security Breach

digital*ghost — Fri, 19 Oct 2012 00:46:32 GMT

That article doesn't explain the (alleged) breach very well - the issue (again, allegedly 😉 ), was that once a transaction was completed via C&S, anyone could alter the URL of the site - which contains an ID number - with randomly selected numbers and bring up someone else's completed transaction details.

Re: Australia Post/Click and Send Online Security Breach

digital*ghost — Fri, 19 Oct 2012 00:48:18 GMT

And yes, this happened a couple of weeks ago, with an announcement made by AP on the 4th of October: http://www2.ebay.com/aw/au/201210.shtml#2012-10-04165630

Re: Australia Post/Click and Send Online Security Breach

davewil1964 — Fri, 19 Oct 2012 04:38:36 GMT

As has been noted several times, this is old news.

Re: Australia Post/Click and Send Online Security Breach

boomct — Fri, 19 Oct 2012 05:09:02 GMT

Old news perhaps, but it points to a system that has had IT security issues from the beginning which are very easily preventable. And with rising Aus Post charges, I would expect much better. Grumpph . . .

Re: Australia Post/Click and Send Online Security Breach

phorum_junkie* — Fri, 19 Oct 2012 06:13:38 GMT

What a huge fuss about nothing, just like most of these scaremongering articles. If the press hadn't drawn attention to the issue just how many people would have tried to do this if they hadn't read about it? I suspect zero, I suspect AP found the problem themselves and then announced it and said their would be disruptions to the service while they did so.

I have only had a problem with click & send twice and a quick phone call sorted them out quickly and efficiently and of course it was my ineptitude that caused them in the first place.

Re: Australia Post/Click and Send Online Security Breach

viewmont1071 — Fri, 19 Oct 2012 18:34:33 GMT

and I suspect that now you can use paypal to pay for click and send you can expect a lot more of it

the OP mentioned unencrypted passwords

... What a huge fuss aboput nothing PJ???? are your click and send, ebay and paypal passwords (if you use paypal to pay for click and send) being sent unencrypted to and fro on the internet?

The Op says yes, and it does not bother you??...

I do not think it is names and addresses of the person who bought the frilly red knickers is the "crux" of the security breach argument but rather the passwords.

Nicola Roxon is on the right track with mandatory data breach reporting

http://theconversation.edu.au/youve-been-hacked-why-data-breach-reporting-should-be-mandatory-10220

an excerpt

Entitled “Australian Privacy Breach Notification”, the discussion paper asks whether companies and other organisations should be required to report any breaches that occur to personal data they are storing.

Only a day after Ms Roxon released the discussion paper we saw a great example of why mandatory data-breach notification is required.

On Thursday Australia Post shut down its electronic parcel tracking service after a computer malfunction exposed the personal details of thousands of customers who were sent parcels. Mandatory data-breach reporting would have required Australia Post to tell customers of the breach immediately

rather than having the message delivered through the media the following day

Of course, Australia Post is not alone – many large Australian companies and organisations – including Telstra, Defence and Medvet – have suffered data breaches in the recent past.

What Ms Roxon didn’t say was the majority of companies don’t seem to take customer privacy very seriously.

Currently, if an Australia company suffers a data or security breach, they are encouraged (but not required) to disclose the details to the Privacy Commissioner.

Re: Australia Post/Click and Send Online Security Breach

viewmont1071 — Fri, 19 Oct 2012 18:41:07 GMT

I suspect AP found the problem themselves and then announced it and said their would be disruptions to the service while they did so.

Customer Trevor Ryan, a former mail contractor, tried to alert Australia Post to the problem yesterday but was told to put his complaint in writing.

An Australia Post spokeswoman yesterday apologised for the "inconvenience" of suspending the parcel-tracking service

- but not for exposing private information

because.....obviously.... unless they are forced to give a rat's about their customers privacy then they will not but would prefer the PJ style of action

.... ie "quick under the carpet with all that dirt, bloody whingers...nothing going on here, move along move along"

Re: Australia Post/Click and Send Online Security Breach

viewmont1071 — Fri, 19 Oct 2012 19:30:55 GMT

So AFAIK from the stories a breach occurred on the 4th and a breach occurred again on the 18th at least and possibly the whole period in between those dates...is that current or "old news"

Given APs seemingly total lack of responsibility and the fact that they do not have to tell customers of security breaches coupled to the fact that disclosures of breaches would deter some customers from using the system

ie. not good advertising for the online system

.;..who thinks there may be more????