"He noticed that the URL contained the unique ID number for each account and by tweaking the number in the URL, he was able to easily access other people's statements."
OMGWTF, what kind of stupid dumb ass will include unique ID as part of URL and can be used to view online statement without further logon detail. Whoever designing the security for the First State Super should be thoroughly ashamed of him/herselves and should go back to kindergarten to be re-educated from the very beginning.
"Webster called First State to share with them his discovery and after spending an hour trying to find someone who could understand the technical issues, he got on to an IT staffer there and sent him the evidence."
Is the issue really that hard to understand? Ok, even if you don't understand, if I am the receptionist, I would contact the IT department straight away and let the IT people deal with Mr Webster. More incompetent people in the company again.
"The next day Webster received a letter from First State's law firm, Minter Ellison, telling him his actions constituted a breach of the Crimes Act and Criminal Code Act. He was also notified that his First State Super account had been disabled.
"You should be aware that due to the serious nature of your actions, this matter has been reported to the NSW Police," the letter, seen by Fairfax Media, reads."
A nice way to thank people who save your company, back stabber. Now you just made public how weak your cyber security is and I bet the company will attract more attention and hackers. I would hush it up if it was my company.
"Webster was also ordered to destroy all of the records he had accessed and notified that the firm reserved its rights to allow its IT personnel to examine his computer to verify that the records had been destroyed. The firm said they may go after him for costs related to the matter."
What a load of bullshit! I though only the police with search warrant can search through your computer. A private company can definitely not do that. Not even company like Apple or Google, let alone First State Super. Ok may be Apple and Google can do that without you knowing it, LOL!
"He was given seven days to respond and asked to sign a letter admitting to having gained "unauthorised access"."
If you left something that obvious outside, you can't sue them for unauthorised access. The customers statement may as well be made public. Who would sign that stupid thing? A conviction out of an innocent man? I would sue them back for perverting the course of justice and negligence as a customer if I am Patrick Webster.
"Dwyer acknowledged that the fact that the account information was exposed, potentially opening up members to identity theft, was "disappointing"."
Learn English, it should be "catastrophic"!
"There was no criminal offence committed and the company in question has been informed of the outcome. It was more a case of a civic-minded person reporting a potential security breach."
Luckily the police knows what they are doing.
In conclusion- First State Super= FAILURE. Oh wait, that could be their new name (First State Super Failure)!
Facebook
Twitter
Instagram