While Australia Post has moved to reassure customers that their financial details were not compromised due to a security glitch with its online service Click and Send, a security expert said the incident could affect consumer confidence in the merchant.
According to media reports, the glitch allowed users to see other customers’ details by altering a shipping identification number that appeared in the URL of a transaction. Click and Send was designed for online postal documentation -- such as preparing items sold on auction site eBay for delivery.
IDC Australia senior market analyst Vern-Harn Hue told Computerworld Australia that the glitch could potentially be a “big blow” for Australia Post as it seeks to position itself as an enabler in the digital economy.
“As increasingly more Australians transact, trade and consume online, digital trust and security is paramount,” he said.
“Consumers need to know that they are backed by a trusted source to handle their personal and financial information and AusPost will have to work hard in order to win over consumers trust.”
Hue added that Australia Post needs to use better data encryption tools as encryption allows the merchant to mask critical and identifiable information while the data is in use and in transit.
“While I do not believe any financial or personal information is at risk, some of these details can be engineered in a spear phishing attack,” he said.
Hue pointed out that customer invoices also contain a significant amount of useful information which can be mined, again, to launch targeted attacks.
In a statement, an AusPost spokesperson said the Click and Send site had been temporarily deactivated and it hoped to have the service back up and running “as soon as possible”.
“Australia Post would like to reassure Click and Send customers that at no stage were their financial details compromised,” an AusPost spokesperson said.
“Customers who wish to send parcels should visit their local Australia Post outlet who will assist them.”
Follow Hamish Barwick on Twitter: @HamishBarwick