The City of Ballarat and Federation University are among 65,000 entities whose private user information has been made public because of a configuration error within Microsoft, in yet another breach of data privacy.
The latest breach is not a cyber attack but rather appears to be human error. It's not clear whether any third parties have taken advantage of the inadvertently-released material, nor is it clear exactly what data was released.
SOCRadar, a cyber threat and digital risk company based in the United States, uncovered the data breach last week, revealing Microsoft's 'Azure Blob' storage had been misconfigured, making publicly available user information, product orders and offers, project details, PII (Personally Identifiable Information) data, and other documents possibly revealing intellectual property. The leak was called 'BlueBleed' and affected 150,000 companies and other bodies.
There are six large 'buckets' of data information; the largest, which contains the Ballarat information, is called BlueBleed Part I and covers 111 countries.
"BlueBleed leaks include critical data such as project details, signed customer documents, and customer emails," SOCRadar CEO Huzeyfe Onal wrote in a blog post.
"The exposed data, if parsed properly, enable threat actors to create elaborate attacks against the companies at risk of BlueBleed. Even though most of the data consists of RAW files of databases, the threat actors certainly have enough resources to parse and process the data."
Surely this is not the first time a misconfigured server has exposed sensitive information, and it will not be the last. However, with vital leaked data belonging to tens of thousands of entities, BlueBleed is one of the largest B2B leaks in recent years.- Can Yoleri, vulnerability and threat researcher and primary investigator of BlueBleed for SOCRadar
Microsoft attacked SOCRadar for exposing the breach, saying the threat was 'exaggerated'. It did not deny the leak took place, but the company was 'disappointed that SOCRadar has chosen to release publicly a 'search tool' that is not in the best interest of ensuring customer privacy or security, and potentially exposing them to unnecessary risk.'
The City of Ballarat moved to the Microsoft Azure cloud storage system in 2020, in an attempt to 'streamline daily tasks and boost service levels'.
Council's data was stored in a cloud, and City of Ballarat's then manager for ICT solution design and development Rhett Nunn said Microsoft offered a 'well-rounded platform and... strength'.
"Moving to a cloud-based platform was really a big driver to remove those risks, reduce costs, and make it a lot easier for us to implement better disaster recovery and high availability. Ultimately, we wanted to get our hands on modern building blocks to solve business problems," Mr Nunn said.
The problem, says Professor Jill Slay AM, is storing data in the cloud is anything but secure.
Professor Slay is the University of South Australia SmartSat Professorial Chair of Cybersecurity. She says the latest breach, coming on the tail of the Medicare and Optus breaches, shows just how vulnerable personal information is when it's stored without adequate security.
"Essentially the tent has been left open," Professor Slay told The Courier.
"We were told the cloud would be the answer to all our data security problems, but my research is showing it is anything but that. The entities whose data has been made public - they should be horrified this has happened."
"Somebody has connected these systems improperly, so it is human error. This is my passion: one of the problems is professional cybersecurity in Australia is poorly accredited. There is a shortage of professionals, and the skills gap is huge."
Professor Slay says the BlueBleed breach is potentially serious in the case of Federation University, because university data is now legislated as critical infrastructure. She says it's often the case that smaller entities such as the university and council engage third parties to handle their data.
This is the case with the City of Ballarat, who had partnered with Olikka (now part of Accenture) to move to the Azure cloud storage. Accenture.com is also part of the breached data leak.
At the same time the City of Ballarat also adopted Microsoft's Office 365 and Dynamics 365. In a press release, Microsoft Australia's national technology officer Lee Hickin said the council was a 'beacon' to other local governments in adopting its applications.
"Adopting our three clouds - Azure, Office 365 and Dynamics 365 also ensures that Ballarat Council is able to scale services as the local population grows, have access to all its data to help develop innovative services that new residents crave, and also fully engage its firstline workers," Microsoft said in a release.
Essentially the tent has been left open- Professor Slay, University of South Australia SmartSat Professorial Chair of Cybersecurity
The City of Ballarat said its officers had developed applications have been automating and streamlining Council's gift register obligations, managing rostering for council swimming pools, libraries animal and shelter, and simplifying the collection of data from school crossing inspections.
Former deputy chair of Federation University George Fong has spent most of his past 30 years developing information and communication technologies. He agrees with Professor Slay that cloud storage by its nature is incredibly vulnerable.
"It's a case of not 'if', but 'when'," Dr Fong says, referring to the likelihood of data breaches.
"If a system is to be useful, it has to be human, and that is where the vulnerability is. It's like the Factory Acts of the Nineteenth Century - a machine has to be safe, but it has to be accessible too. We need security - firewalls, passwords, authentications, encryptions - but the best security is training your users properly."
Federation University said it was looking into the information release, 'however at this stage there has been no tangible impact to report.'
The City of Ballarat's director of corporate services John Hausler said council had contacted their Microsoft account manager regarding a potential data breach.
"Microsoft have advised that they are not aware of any customer accounts or systems being compromised and that any data that may have been impacted is publicly available information," Mr Hausler said.
"The City of Ballarat will continue to keep in contact with Microsoft and the Chief Information Security Officer at the Department of Premier and Cabinet regarding the incident for any further updates."
Microsoft Australia did not respond to queries from The Courier.
