IT Security: Telstra Reveals Large-Scale Security Breach at Pacnet

Telstra has revealed a security breach on its Pacnet network allowed unknown third parties full access into the subsidiary's corporate systems.

The telco today said the breach had occured before Telstra took ownership of the company following its December takeover announcement.

Telstra said it was told about the breach when it finalised the A$857 million purchase of Pacnet on April 16.

Pacnet had closed the vulnerability on April 3rd, but Telstra opted to investigate further after it was notified of the incident, group executive of global enterprise services Brendon Riley said.

Riley said since the two parties were still competitors during the December to February even during the due dilligence process, Telstra was limited as to how much information about Pacnet's operations it could access.

"The due dilligence went as far as it could and in terms of deep, detailed analysis of networks and operations, it wasn't one of the things we were able to do," he said.

The attackers gained access to the Pacnet corporate IT network - including email and admin systems - through a SQL injection on a web application server.

SQL injections let attackers issue commands to be executed on vulnerable servers, in order to dump contents of databases and to change or delete the information.

“To protect against further activity we rectified the security vulnerabilities that allowed the unauthorised access," Riley said.

"We have also put in place additional monitoring and incident response capabilities that we routinely apply to all of our networks."

Telstra is now advising Pacnet customers - which it revealed included the Australian Federal Police, among others - globally about the breach. It said it had not received any contact from a perpetrator and had no information on motive.

The telco said it had no evidence data had been taken from the network. It refused to say how many customers were affected.

Pacnet's network was not connected to Telstra, and the telco said it had no evidence of malicious activity on Telstra's networks.

Telstra CISO Mike Burgess said the telco was unable to tell from system logs what had been taken from the network, "but it's clear they had complete access to the corporate network, and that's why we're telling customers".

Pacnet boasts Asia's largest privately-owned submarine cable network, with 46,500km of submarine cable between the US and Asia.

It counts 2400 enterprise customers and 220 retail and wholesale partners.