Telstra’s Pacnet, a telecom service provider primarily based in China and Singapore, suffered a breach early last month that may wind up affecting thousands of customers, including Australia’s Federal Police, the continent’s Department of Foreign Affairs and Trade, and other entities.
Telstra, an Australian telecom firm that acquired the company last month, is likely experiencing a bit of buyer’s remorse because when the company announced the breach Wednesday, it claims it occurred just two weeks before it finalized its deal with Pacnet. The company finalized the purchase April 16 for more than $650 million.
According to a statement released by Mike Burgess, the company’s chief information security officer, a third party was able to gain access to the company’s corporate network via a SQL vulnerability. From there they uploaded “malicious software” and stole admin and user credentials.
Pacnet’s corporate network, emails, and other administrative systems in particular, were implicated by the breach.
It’s believed that several Australian government agencies, including the Australian Federal Police and the NSW Government and Austrade at one point ran its systems through Pacnet, which may have opened them up to compromise. Another agency, Australia’s Department of Foreign Affairs and Trade also used the service for global connectivity at one point.
For what it’s worth, Telstra claims it was able to immediately address the vulnerability and remove the malware but admits it doesn’t know who carried out the attacks or why. The company is assuring its customers that Pacnet’s corporate IT network coexists separately from Telstra’s and that it hasn’t spotted any nefarious activity on its own networks.
There’s a chance the breach could hamper the company’s plans for the Asian telecom. The firm previously called Asia an important part of its growth strategy and claimed it was intending on using Pacnet’s existing infrastructure – nearly 30,000 feet of undersea network cable – to bolster its presence in Asia and around the Pacific Rim.
“I feel bad for Telstra, it’s like watching someone get in a car accident right after buying a new car,” Trey Ford, a Global Security Strategist at Rapid7 said Wednesday, “By disclosing the breach, they’re really doing the right thing in terms of transparency — acknowledging a breach is important in protecting relationships.
“Acquisition due diligence from a security standpoint is usually focused on the existence of security controls and compliance programs, and I wouldn’t be surprised if we start seeing more focused incident detection exercises before purchase.”