Internet service provider (ISP), AAPT, which was the target of a data breach by hacktivist group, Anonymous, is now under the spotlight of Federal Privacy Commissioner, Timothy Pilgrim.
A server used by AAPT was compromised in the attack. Pilgrim said in a statement that both AAPT and the server’s owner, Melbourne IT, are being investigated over the data leakage which included documents showing federal government accounts, information from departments such as the Australian Federal Police (AFP) and names of AAPT staff members.
“I opened an investigation into AAPT and Melbourne IT after customer data had been compromised in a recent hacking attack,” he said.
“I will look at whether their practices were consistent with the Privacy Act at the time of the incident.”
On 30 July, the Office of the Australian Information Commissioner (OAIC) confirmed that it had been in contact with AAPT to discuss the incident and had received a report from the ISP about the data breach.
The OAIC and the Australian Media and Communications Authority (ACMA) do not have powers to invoke financial penalties on companies for breaches. However, the Privacy Act is currently undergoing reforms, with increased powers slated for the Privacy Commissioner, including the ability to seek civil remedies and enforce undertakings.
Anonymous released some of the 40GB of data that was taken from AAPT’s compromised server on 30 July as part of a campaign against the Australian Government’s proposed data retention laws which are currently under discussion by the Parliamentary Joint Committee on Intelligence and Security (PJCIS).
One of the proposals includes "tailored data retention periods for up to two years for parts of a data set", with every internet users' entire web history logged and stored for up to two years.
Melbourne IT chief executive, Theo Hnarakis, said at the time that the company was investigating the breach. According to Hnarakis, the incident was related to a specific vulnerability which only affected a small number of servers.
“We believe this was an isolated incident however we are treating the matter extremely seriously and are undertaking multiple additional scans across our entire infrastructure base which includes a large number of servers,” he said.
A Melbourne IT spokesperson confirmed that the company is assisting the Commissioner with the investigation.
Follow Hamish Barwick on Twitter: @HamishBarwick