Telstra executives were only told about Pacnet security breach after their purchase of the firm was complete
Hackers breached the security of telecoms service provider Pacnet just days before Telstra unwittingly purchased the firm in April, it has been revealed.
Australian provider of mobile devices, home phones and broadband Internet, Telstra, was made aware of the breach on finalisation of the purchase on April 16, 2015.
Corporate IT network
Telstra has advised Pacnet customers, staff and regulators in relevant jurisdictions of the breach that allowed third party access to Pacnet’s corporate IT network.
Group executive of Global Enterprise Services Brendon Riley said Telstra had taken immediate action to protect the security of the network once it was informed of the breach.
Trey Ford, global security strategist at risk management specialist Rapid7, likened the security breach revelation to the writing off of a brand new car.
“I feel bad for Telstra,” he said. “It’s like watching someone get in a car accident right after buying a new car. By disclosing the breach, they’re really doing the right thing in terms of transparency – acknowledging a breach is important in protecting relationships.”
Riley said: “Our investigation found a third party had attained access to Pacnet’s corporate IT network, including email and other administrative systems, through a SQL vulnerability that enabled malicious software to be uploaded to the network.
“To protect against further activity we rectified the security vulnerabilities that allowed the unauthorised access. We have also put in place additional monitoring and incident response capabilities that we routinely apply to all of our networks.
“Now we have addressed the breach and understand its potential impacts we are in the process of advising our Pacnet customers worldwide of what occurred and reassuring them that we are now applying the same high level of security we apply to Telstra’s networks.”
The Pacnet corporate IT network is not connected to Telstra and there has been no evidence of any activity on Telstra’s networks.
Mr Riley said there had been no contact from the perpetrators nor did Telstra know the reason for the breach.
“Our focus is not on attribution. Our focus is working with our customers to understand and minimise the impact to them and to give them confidence that we will apply Telstra’s very high security standards to the Pacnet IT network,” Mr Riley said.
“Protecting the information of our customers and people is critically important to Telstra. We make significant investments in security capabilities and work around the clock globally to keep our customers’ data safe and our networks secure.”
Ford added that acquisitions, from a security and technology standpoint, are high risk operations. “There really is no way to know everything you have inherited prior to the transaction closing,” he said. “Acquisition due diligence from a security standpoint is usually focused on the existence of security controls and compliance programs, and I wouldn’t be surprised if we start seeing more focused incident detection exercises before purchase. That said, routine scanning should have detected a SQL injection vulnerability – and finding and closing internet exposed vulnerabilities should be top priority technology teams.”
There are still questions around whether the incident has been closed, though, according to Ford. He added: “If you don’t know how long an attacker has been in your network or what they have taken, the difficulty of removing the attacker(s) can be enormous. To be clear – telecom service providers are interesting to all attackers, including nation state actors, making it even more critical for this sector to be aware of potential risks and vulnerabilities.”
How much do you know about hacking? Take our quiz!