A security consultant who quietly tipped off First State Superannuation about a web vulnerability that potentially put millions of customers at risk has been slapped with a legal threat demanding he allow the company access to his computer, and warned he may be forced to pay the cost of fixing the flaw.



A legal document (pdf) seen by SC and sent from Pillar, the fund administrator of First State Super, demanded that Patrick Webster provide the company's IT staff access to his computer.



The company acknowledged in the document that Webster had reported the flaw in good faith but warned that he may have contravened the NSW Computer Crimes Act by accessing another customer's data.

Webster, a customer of First State Superannuation, found a direct object reference vulnerability in a statement emailed on 24 September.



He had increased a numerical value in a URL used to access his statement by one digit and was granted access to a former colleagues' account.

That account contained information including name, address, date of birth and financial payments.



Webster notified his colleague and contacted Adam Jarrett of Pillar hours later and informed them of the vulnerability and that he had not accessed other accounts or retained customer data.

He said the company thanked him for reporting the issue and fixed the flaw within 24 hours.

But the company, which had not returned requests for comment by SC, had begun legal action and informed NSW Police of what it considered a breach of the NSW Computer Crimes Act.

Burwood police detectives questioned Webster on Wednesday night.

“You should be aware that due to the serious nature of your actions, this matter has been reported to the NSW Police,” the letter signed by Minter Ellison partner Maged Girgis said

“Whilst you have indicated that your actions were motivated by an attempt to show that it is possible for a wrongdoer to obtain unauthorised access to Pillar's systems, your actions may themselves be considered a breach of section 308H of the Crimes Act 1900 (NSW) and section 478.

“Your unauthorised access also constitutes a breach of [Pillar’s terms] and has caused the Trustee to expend members funds in dealing with this matter.”

Amazingly the letter warned that the “Trustee has the right to seek recovery from you for the costs incurred in accordance with those terms”.

It demanded that Webster delete all records in which he had “gained authorised access” allow IT personnel the right to verify the destruction of the data.

His online account with the fund has been suspended.

More to come.