Australian telco AAPT confirms Anonymous data breach

Australian telecoms firm AAPT confirms business customer data was breached by hacktivist group Anonymous at an external service provider

Australian telecommunications company AAPT has confirmed some business customer data was compromised in a breach of computer systems at an external service provider.

The telco began investigating after hacktivist group Anonymous threatened to release 40GB of data from an Australian internet service provider, with 3.5GB allegedly coming from AAPT.

The compromised data is believed to be a 40GB backup of an Adobe Cold Fusion database, accessed through a well-known vulnerability, according to local reports.

The threatened release of data appears to be in protest against Australia's proposed data retention rules, which would require ISPs to collect and hold data from users for up to two years.

By stealing the data, the hackers sought to prove that ISPs and telcos were unable to protect the data they would be required to collect and retain under the proposed rules, reports said.

"It was brought to our attention by our service provider, Melbourne IT, that there had been a security incident and unauthorised access to some AAPT business customer data stored on servers at Melbourne IT," the telco said in a statement.

AAPT said it had immediately instructed Melbourne IT to shut down the affected servers. However, AAPT claimed initial investigations showed the breach involved only two "historic" data files with "limited" personal customer information.

The compromised servers have not been used or connected to AAPT for at least 12 months, the company added.

AAPT said the company would undertake a thorough investigation of the data breach to establish the exact type and extent of data that had been compromised; how the security incident happened; and what further measures were required to prevent any future incidents.

In the UK, the government's draft Communications Bill, published in June, sparked controversy because of requirements for ISPs to store records of internet use for a year.

In that time, records of people's activity on social network sites, webmail, internet phone calls and online gaming will be accessible to the authorities.

In March, the benefits of retaining communications data was called into question after the release of German police statistics that showed the number of internet crimes solved rose after data retention was discontinued.

The statistics come from North Rhine-Westphalia, Germany's most populous state. Germany stopped keeping communications data after a Supreme Court ruling in March 2010.

The statistics showed that, in 2010, mainly after data retention ended, 11.8% fewer cases of internet-related crimes were registered by North Rhine-Westphalia police than during the previous year.

Read more on Privacy and data protection