First State rewards security tip with legal threat


blog Whoah. It looks like Australian superannuation fund First State Super has had a massive, corporate-style over-reaction to a security analyst, Patrick Webster who politely let it know about an obvious, glaring security hole in its online platform.

The full details have been published by Secure Computing Magazine (and we recommend you also check out their earlier article here). But basically it looks like it’s a case of the poor analyst reported the flaw, was politely thanked by First State, and then had his details summarily handed over to the cops, who showed up on his doorstop shortly after. Further information comes from security podcast Risky.Biz, which reports:

“Perhaps instead of contacting the law, First State Superannuation would have done well to send Webster, who ironically enough spent much of his career working in information security for NSW Police, a nice bottle of single malt and a sun hat.”

We agree. Surely there is someone with an iota of sense in First State Super? Anyone? Someone, perhaps, who could listen to the NSW Police on this matter, which has decided to take no action on the issue, describing Webster as “a civic-minded person”?


  1. Reading the article on The Age about this he apparently made a script to go through and download details of people from the site.

    Which I’d say where the issue actually is.

    It also may just be policy to report all security breaches to the Police. Even if he did have good intentions it still was a security breach

    • It does sound like he went a bit far beyond the call of duty … but I’d still say First State should award the guy a little more cred, given he used to work for the police himself.

    • What if this was a real-world security breach? I think the equivalent would be ringing their call centre repeatedly, trying different member numbers to identify oneself, and noting how many times the phone monkey on the other end gave up a real customer’s policy details. Would that be worthy of punishment? Not if the prank-caller was benign, and let the company know about the problem. Hysteria around information security is what keeps the good guys from wanting to help!

Comments are closed.