Australian techie jailed for accessing museum's accounting system and buying himself stuff An Australian IT contractor has been sentenced to 30 months jail for ripping off the National Maritime Museum. The nonprofit museum celebrates Australia's maritime heritage – a matter of some import for the island nation, which therefore attracts government funding. Among the museum's exhibits is a retired destroyer, the HMAS …
Checking a known breached service (linkedin, pick your recent data breach occurrence) to see if users have had their data breached seems a bit redundant. It's the kind of lazy analysis companies do in order to come up with a headline reason why their staff are better than the randoms on a social network. Anyone using linkedin for longer than a few moments has had their profile exfil'd. Whether that is an actual problem depends on whether they are vulnerable to cred stuffing. Just saying someone appears on HIBP is weak research.
However putting clearance on your profile is a bit off. Clearance is for a specific purpose/role and does not carry to a new role. Hiring only those with current clearance is illegal (AGSVA site explains this quite clearly). And yet recruiters and employers do it all the time anyway. Which is why some are motivated to put their clearance in their profiles. Since what really matters to an employer should be whether clearance is attainable, perhaps candidates should put their citizenship and whether or not they have been to the big house?
Exactly that. Whenever you have done $stuff on the internet, you have likely created an account at one point in time somewhere. This data will (at one point in time, with some certainty) be leaked. Unless you reuse name / email / password combinations (credential stuffing) this is just an unfortunate effect of current life. This does not mean that I like the situation, it is just how it (unfortunately) currently is.
I believe new employers can register their interest on a person's Clearance with agsva so that changing employers isn't as much as a complete ball-ache as getting Clearance in the first place.
Also, if ever speaking with agsva you'll quickly find what a lack of humour sounds like. Those folks are absolutely no fun whatsoever
"National rules differ. In the UK, current security clearance can be transferred between contracts."
Yes, there are even some clearances which can auto-renew with a "subscription", others with minimal fuss just by filling out the form again, or replying "no changes" to circumstances. Most likely they accept that and just do a quick request to the Police National Computer system or whatever to make sure there's nothing new appeared since last time.
yes, they do differ. but Australian govt rules apply for australian security clearance. which was the topic of the study. Although it's relevance to their findings seems limited to amplifying clicky headlines only. They could have reported that 100% of fish n chip shop employees on linkedin appear on HIBP, so you'll get malware with your minimum chips.
in some nation's cases it isnt clearance for a purpose, but rather a general access level. Which is madness IMO, but they seem to make it work.
AGSVA does retain your data so submitting and the initial screening will be faster if you've had it recently. However it is illegal to prefer a candidate on this basis, they must simply be eligible for clearance. But we all know what happens in the real world.
However it is illegal to prefer a candidate on this basis, they must simply be eligible for clearance. But we all know what happens in the real world.
I didn't mention the fact the fact that I had a clearance when applying for an IT job, but they knew anyway as I was then still an officer in the ARES which they knew from my resume. Still had to apply for a new clearance, but it only took a few days not months like the initial one did when I was commissioned.
Most companies in Australia will generate ABA files that they send to the bank.
The ABA files contain the details of the payments they want to make to their creditors.
Quietly replacing the bank account numbers with different account numbers is an easy hack. ABA files are fixed format text files.
Also easy to detect. Just need to check with your payees that they have received expected payments and then check with the banks for payments that have gone missing.
Then look for Application Support staff that might have been sticking their fingers in the cookie jar.
Just need to check with your payees that they have received expected payments
No need to 'check'. They'll let you know sharpish. *Ring-ring-ring* "Hello, ABC Corp, Accounting, Jennifer speaking."
"XYZ Co,, Accounts Receivable, Gerald here. Where's our fookin' money?!!"
"Hello, ABC Corp, Accounting, Jennifer speaking."
Funnily enough our public broadcaster ( ~ BBC or PBS) is ABC Corp. [Australian Broadcasting Corporation]
Given the current cultural drift of that broadcaster the manner of XYZ co.'s Gerald's inquiry addressed to Jennifer is likely to stir up a veritable hornets nest. :)
The fraudster didn't buy his stuff and charge it to the museum. He changed things around so that instead of the museum sending money for certain payments to, say, DEF Co., it instead sent the money to the fraudster's personal bank account.
Usually these sorts of fraudsters don't arrange things so the skimmed funds go directly to their personal accounts, but instead, go to accounts of shell companies which they have created. This guy was lazier/more-stupid than most.
Criminal record information is classed as ‘sensitive information’ in the Privacy Act 1988. You can go the other way -- given a name you can get a list of all pleas and convictions -- but apart from that, data held by the police about people is probably not generally releasable. In fact, even police members are not allowed to just go browsing the police records.
However, press releases about court convictions are probably non-identifiable to avoid problems when appeals are, or are likely to be, before the courts. (And there may also be other charges still before the courts)
"used his role as a contract IT support worker to access the Museum's accounts payable system and illegally change bank account details to his own."
Thus leaving a trail in giant blazing neon lights that pointed straight to his accounts and therefore to him. That's the dumbest thing ever! I'm pretty sure that an insider with full access would have found better ways of covering their tracks!!!
Since Linkedin were hacked back in circa 2016, anyone who has had a Linkedin account longer than 10 years appears on Have I been Pwned.
So this is not exactly rocket science. You could also the right the headline as "Over half of people who list themselves as holding clearances have been on Linkedin for longer than 10 years...". But I guess that's not as headline grabbing...
Given the number of data breaches over the years, anybody who does NOT have a listing on "Have I Been Pwned" probably lacks sufficient experience for anything much more than an entry-level or low-level position. And since LinkedIn was compromised in 2012, that means that many (most) people with 12+ years of industry experience (pick any industry) will be on the list since Circa 2012 companies would mandate LinkedIn profiles even though the employees didn't want or use them.
I am surprised that the percentage of people with listings wasn't higher.
There are linkedin groups specifically for security cleared techs, one might hope that anyone joining would lose their clearance and get a stern talking to but it seems not.
Seems rather daft that people actually advertise the fact and make themselves a target but I guess there's nowt so stupid as folk.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
