Nigel Phair, a former cyber cop turned cyber crime consultant, said the information obtained could be used to take over customer accounts. "Since superannuation is a set and forget saving mechanism, account holders may only suspect an account takeover when they receive their annual statement (assuming they read it in detail)," he said. First State Super, which sent a letter to some members on October 7 informing them of the breach, has over 770,000 members and over $30 billion in funds under management. A large portion of its members are NSW public sector employees and their spouses, including police, politicians and magistrates. By sheer coincidence, the first statement Webster was able to pull up on testing the flaw was that of a former co-worker, who he worked with as a civilian at NSW Police on the force's computer security team. To demonstrate the flaw to First State's IT staff, he wrote a script that cycled through each ID number and pulled down the relevant report to his computer. He confirmed that the vulnerability affected the firm's full customer database. "It took me 30 seconds to write. They're probably of the opinion that I spent several hours putting together something to attack them," Webster said of the script.

Webster called First State to share with them his discovery and after spending an hour trying to find someone who could understand the technical issues, he got on to an IT staffer there and sent him the evidence. He said several of First State's staff contacted him to say thanks for alerting them to the breach. Not long after, a page on First State's website was defaced in a separate breach with a message that read "stop war USA & Israel". "But then three and a half weeks later the police just knocked on the door and said we're here to speak to you about downloading files about First State Super," said Webster, adding police discussed the matter with him and told him to stay away from First State's website. The next day Webster received a letter from First State's law firm, Minter Ellison, telling him his actions constituted a breach of the Crimes Act and Criminal Code Act. He was also notified that his First State Super account had been disabled.

"You should be aware that due to the serious nature of your actions, this matter has been reported to the NSW Police," the letter, seen by Fairfax Media, reads. Webster was also ordered to destroy all of the records he had accessed and notified that the firm reserved its rights to allow its IT personnel to examine his computer to verify that the records had been destroyed. The firm said they may go after him for costs related to the matter. He was given seven days to respond and asked to sign a letter admitting to having gained "unauthorised access". Webster said he had no intentions to attack First State - after all he is one of the firm's customers - and was only seeking to inform them of the vulnerability. But he was reluctant to sign a letter essentially admitting liability when he was only looking to help. "I'm just happy to see the matter go away really, it's pretty much put a halt to my business," he said.

Michael Dwyer, chief executive officer for First State Super, said the firm had patched the hole Webster discovered and was now undertaking a complete review of its security systems. He would soon meet Webster to discuss next steps. He said Webster may not have to provide the firm access to his computer if they could come up with another way for him to prove that he has deleted the records he downloaded. Asked whether the legal letter was heavy-handed given that Webster could have just as easily released the vulnerability to the hacking community, Dwyer said First State Super approached police as a matter of course when there was a privacy breach. He said Webster's actions were more serious because he did not just access his own or a mate's account, but hundreds of other customer accounts, to prove the security flaw was real. "While we were appreciative of him showing us a weakness in our security systems the size of the downloads concerned us greatly and the fact that it was a major breach of the privacy provisions of our members," Dwyer said in a phone interview.

"I'm confident that when we meet and discuss the matter we can resolve it to our satisfaction that he is actually not holding those files any longer." Dwyer acknowledged that the fact that the account information was exposed, potentially opening up members to identity theft, was "disappointing". But he said checks thus far had indicated that no one else had accessed the files in the way Webster had. Phair said Webster saved First State Super "a lot of pain" and he could see no legal basis for the firm demanding to access his computer, which could contain private and confidential information. "Had this exploit been discovered by someone with malicious intent then the outcome would have been significantly more serious," said Phair. NSW Police said it was not taking any further action on this matter. "There was no criminal offence committed and the company in question has been informed of the outcome. It was more a case of a civic-minded person reporting a potential security breach."

The Office of the Privacy Commissioner did not respond to a request for comment. Loading Do you know more? asher.moses@smh.com.au This reporter is on Twitter: @ashermoses