Buying A Breach: Pacnet’s Dirty Little Secret



When the Australian telco Telstra purchased Pacnet for US$697 million earlier this year, the idea was to expand its reach in Asia. Instead, it ended up buying a controlling stake in a massive data breach.

When the Australian telco Telstra completed its purchase of Pacnet for US$697 million on April 16, the idea was to expand its reach as a provider of enterprise services to large corporations in Asia. What the firm got instead was a controlling stake in a massive data breach.

According to news reports on Wednesday, Pacnet was the victim of a massive breach that gave outside hackers access to pretty much every part of the company’s infrastructure: from e-mail servers to administrative systems.

Unfortunately, as press reports note, that was a detail that Pacnet declined to relay to Telstra until after the acquisition was complete. And by then the problem had gotten worse, not better.

“We have not been able to tell from forensic information or system logs what has been taken from the network," Telstra chief information security officer Mike Burgess said, in a report by the Australian Financial Review. "But it is clear they [the attackers] had complete access to the corporate network and that's why we're telling customers."

According to reports, attackers used a SQL injection attack to compromise an application server and upload malicious software to Pacnet’s network.

This is troubling for a number of reasons. For one, Pacnet counts many high-value Australian federal agencies as customers including The Australian Federal Police and the country’s Department of Foreign Affairs and Trade, among other government agencies. Pacnet also operates a network of undersea cables that are a critical part of the global Internet.

As is often the case with breaches, Telstra is trying to downplay the impact of the compromise. Telstra Group Executive of Global Enterprise Services Brendon Riley was quoted as saying that the company had little evidence of who was behind the incident, but that “the networks ... are secure.” Government agencies quoted in the story offered assuring statements as well that there is no evidence that government data stolen from Pacnet had been misused.

Of course, this incident is still in its early days. And Pacnet may never have been the target so much as its high value users. Given the length of the breach – which may be measured in weeks, rather than days or hours – it may be very difficult to determine what information hackers gained access to, or whether they used the access to Pacnet’s network to gain access to other high value assets.

The case also raises troubling questions about the propriety of Pacnet waiting until its acquisition was complete to disclose such a potentially damaging and expensive lapse.

“It would've been good to know about it a little earlier but Pacnet felt they were dealing with the incident," Riley said. But what do you expect him to say having dropped US$700 million less than a month prior? You can hear his teeth grinding from North America.

The failure to disclose could well be a breach of the purchase agreement that spells out the deal, said Andrea Matwyshyn, but “much depends on how the agreement was drafted and how significant the corporate asset damage was.”

The message for companies in the market to acquire, however, is clear: due diligence these days should extend to breach- and data loss detection. Just as you send in accountants to review the books of potential targets, you should send in your computer and network forensics ninjas to make sure your target firm hasn’t been picked over by hackers. After all, the cost of being wrong could be high.

Paul F. Roberts is the Editor in Chief at The Security Ledger and the founder of Security of Things Forum.

Telstra photo via James Davies.

Paul Roberts

Please post your comments here

Data Protection Vendor Evaluation Toolkit

The toolkit contains an RFI-RFP criteria template and a corresponding vendor evaluation scorecard.

Download Now

Related Articles
Phishing Attack Compromises Data Belonging to 30K Florida Medicaid Patients

Information, including patients' date of birth, Social Security number, address, Medicaid ID, and diagnoses, may have been breached.

Friday Five: 12/22 Edition

Catch up on the week's infosec news with this recap!

After Panama Papers: Firms Should Add Pen Testing to Due Diligence Process

An analysis by Wired shows that the Panama firm Mossack and Fonseca did a poor job managing its public facing systems, all the while promising clients security.