Symantec soft-pedals unreported data breach

Symantec says a data breach allowed a hacker to access passwords and a purported list of its clients

Symantec says a data breach allowed a hacker to access passwords and a purported list of its clients

Symantec, the U.S. cybersecurity company has played down a security breach, that enabled a hacker to gain access to passwords, and possibly, a list of its clients.

The list, which contains details of large Australian companies and government agencies was obtained during the February cyberattack, has been seen by Guardian Australia. It suggests that all major federal government departments were among the hacker's targets. Apparently the perpetrator has also claimed responsibility for Medicare data being available for sale on the dark web.

A spokesperson from Symantec said the “minor incident” involved “an isolated, self-enclosed demo lab in Australia, which is not connected to Symantec’s corporate network.

The company did not report the incident because it concluded that “no sensitive personal data was hosted in or extracted from this demo lab, nor were Symantec’s corporate network, email accounts, products or solutions compromised”.

Although the attacker successfully extracted a list of purported clients of Symantec’s CloudSOC services, account managers and account numbers, Symantec insists data contained in the system were “dummy e-mails and a small number of low-level and non-sensitive files for demonstration purposes” in a demo lab “not used for production purposes”.

The firm's spokesperson said:

This is an old list of some of the largest public and private entities in Australia – it was in the environment for testing purposes, ...These entities are not necessarily Symantec customers, nor do we necessarily host services for them.

A number of federal departments, including finance, human services, industry, and infrastructure, confirmed that they do not use Symantec’s CloudSOC services and do not store information on Symantec's servers. However, Guardian Australia understands that others queried the “minor” breach with Symantec because they are customers.

In a statement the Department of Infrastructure, Transport, Cities and Regional Development noted the department name referenced in the list was “discontinued in 2013”.

“We have received no notice from Symantec regarding this matter, but we will make contact in relation to their continued use, if any, of our department name.”

According to The Guardian, The Department of Home Affairs said In a statement it “does not use the Symantec CloudSOC services, however does use a number of other Symantec products on the department’s internal network, that are managed by departmental staff”. The statement also said “The department does not have any sensitive information that is held by Symantec. ...Information held by Symantec would relate to Symantec’s commercial relationship with the department, which is publicly available information.”

The Australian Privacy Act creates a scheme for compulsory notification when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach.

The Symantec spokesperson said it treated “any cybersecurity incident – regardless of its scope or severity – with the utmost priority and take great caution in complying with the laws of the countries in which we do business around the world”.

“Consistent with our internal policies and guidance, which align with national and international data protection laws, no sensitive personal data or information has been disclosed that would trigger any regulatory obligations, but Symantec will continue to take appropriate remediation efforts if the situation changes.”

Sources: The Guardian

Did you find this content valuable and interesting? If so, why not sign-up for our Premium Insights. For less than the cost of a cup of coffee each week, you can get access to our Premium Insights news feed.

Peter BornerComment