Australian Airport Identity Card Issuer BreachedAviation ID Australia Says Website Accessed By Unauthorized Entity
An Australian company that issues identity cards for access to airports has been notifying applicants and cardholders that their personal information may have been compromised, the Australian Broadcasting Corporation reports.
Aviation ID Australia is one of many Aviation Security Identity Card providers. The company, formed in 2005, services rural and regional airports. The cards are mandatory for individuals, including pilots and air cargo agents, who require unescorted access to sensitive areas of airports.
Ian Barker, managing director at Aviation ID Australia, tells the ABC that the data exposure occurred after a "localized portion of our website" was accessed by an unauthorized entity.
The company had not determined the full extent of the data exposed, but it likely includes names, street addresses, birth certificate numbers, drivers license numbers, Medicare card numbers and ASIC numbers, Barker tells the ABC.
When Information Security Media Group called Aviation ID Australia on Friday and asked for Barker, however, the person who answered the phone said he wasn't available and hung up.
Australian Federal Police are investigating the breach, the ABC reports. The Civil Aviation Safety Authority did not have an immediate comment.
It wasn't clear if the Aviation ID Australia had notified the Office of the Australian Information Commissioner, which enforces the country's Privacy Act. In February, an amendment to the act went into effect that requires organizations with more than $3 million in annual turnover to report serious breaches within 30 days (see Australia Enacts Mandatory Breach Notification Law).
Aviation Security Identity Cards
About 45 airports and companies are authorized to issue ASICs. The cards are intended to show that a person has completed a valid background check, according to the Department of Home Affairs.
The airport cards as well as their marine equivalent "are an important part of securing the aviation, maritime and offshore oil and gas sectors from acts of terrorism and unlawful interference," according to the Department of Infrastructure and Regional Development. The cards must be renewed every two years.
It appears some organizations allow individuals to apply for ASICs online, including Aviation ID Australia. Others offer forms that need to be submitted in person.
Aviation ID Australia's website, however, looks "old and dated and unloved," says Troy Hunt, an Australian security expert. The site returns a response header indicating it runs on Microsoft's Internet Information Services server version 7.5, which launched in October 2009 on Windows 7 and Windows 2008 R2.
Hunt says that in and of itself isn't necessarily an indication that the company's website may have had poor security. But he did notice one login page that wasn't always served over HTTPS, meaning it could potentially allow someone to intercept unencrypted data traffic.
Overall, however, "there's no smoking gun," Hunt says.
Sticky Notes: Not For Passwords
Anyone applying for ASIC used to be able to do the process entirely by post. But changes that took effect last August now require applicants to show identity documents in person at some point in the process.
It was the identity document check that took Tony Morris, a private pilot, to an Aviation ID Australia office near Brisbane's airport in April.
Morris says on Friday that when he went to pick up his red ASIC card, the person helping him left the room for a few minutes. But the person left a terminal unlocked that allowed him to view his details.
Underneath his details, he could also see the names and birthdates of other ASIC applicants. He also saw a curled, yellow sticky note at the base of the monitor that had the word "password" underlined and a word written below.
He snapped a photo. "I thought: My mates are going to love this," Morris says.