An SQL injection attack allowed third party access to Pacnet’s corporate IT network on 3 April, less than a fortnight before the company's sale to Telstra was finalised on 16 April, the telco revealed today.
“We are in the process of informing all of our customers what happened on the Pacnet corporate network. We have no evidence that data has been taken but we wish to inform them because of the nature of the breach,” said Telstra CISO Mike Burgess on a media call.
The AFP has been informed as they are a customer of Pacnet, he said. Details of other customers were not revealed.
Telstra group executive of global enterprise services, Brendon Riley, said the company had taken immediate action to protect the security of the network once it was informed of the breach.
An investigation found a third party had attained access to Pacnet’s corporate IT network, including email and other administrative systems, through a SQL vulnerability that enabled malicious software to be uploaded to the network.
Riley said Telstra'a due diligence of Pacnet did not include investigation of its corporate network.
“The due diligence process [of Pacnet] ran from December 2014 through to February 2015. This ran as far it could and in terms of network operations, it wasn’t one of the things we were able to do,” said Riley.
“We were notified as soon as possible after completion and prior to that, the Pacnet team were managing and dealing with the incident.”
Riley said it took time to inform the market as Telstra staff had to examine the Pacnet systems.
“If we could have done it faster, I think it would have been better to do it faster but we moved as fast as we can in terms of customers and regulators in different markets.
“To protect against further activity we rectified the security vulnerabilities that allowed the unauthorised access. We have also put in place additional monitoring and incident response capabilities that we routinely apply to all of our networks.”
According to Riley, the Pacnet corporate IT network is not connected to Telstra and there has been no evidence of any activity on Telstra’s networks.