Claims First State Super flaw ignored for 'years'

[security curmudgeon <jericho () attrition org>]

http://www.smh.com.au/it-pro/security-it/claims-first-state-super-flaw-ignored-for-years-20111020-1m9ao.html

Claims First State Super flaw ignored for 'years'
Asher Moses
October 20, 2011 - 12:09PM

The company that manages the day-to-day operations of First State Super 
denies claims by a former IT staffer that it knew of a major security flaw 
that potentially exposed 770,000 member details years ago and did nothing.

The flaw, exposed by IT security consultant Patrick Webster, allowed 
members to access other members' statements simply by changing a number in 
the URL bar.

[..]

It claims the only statements that were accessed without permission with 
the 568 downloaded by Webster when he was testing the security flaw.

[..]

One First State customer who contacted Fairfax Media said they stumbled 
across the security flaw while checking their statement more than 18 
months ago. ''I discovered the problem completely by accident,'' the 
customer said.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/