Hacker accessed passwords and list of purported clients, including Australian government agencies – but company says these were only demonstration accounts

This article is more than 1 year old

This article is more than 1 year old

The American cybersecurity giant Symantec has downplayed a data breach that allowed a hacker to access passwords and a purported list of its clients, including large Australian companies and government agencies.

The list extracted in the February incident, seen by Guardian Australia, suggests that all major federal government departments were among the targets of a hacker who also claimed to be responsible for Medicare data being available for sale on the dark web.

But Symantec said the “minor incident” involved “an isolated, self-enclosed demo lab in Australia – not connected to Symantec’s corporate network – used to [demonstrate] various Symantec security solutions and how they work together”.

The incident was not reported because Symantec concluded that “no sensitive personal data was hosted in or extracted from this demo lab, nor were Symantec’s corporate network, email accounts, products or solutions compromised”.

The hacker extracted a list of purported clients of Symantec’s CloudSOC services, account managers and account numbers – but Symantec insists data contained in the system were “dummy e-mails and a small number of low-level and non-sensitive files for demonstration purposes” in a demo lab “not used for production purposes”.

The list of purported clients includes the Australian federal police, the big four banks, insurers, universities, retailers and departments in the New South Wales and federal public service.

“This is an old list of some of the largest public and private entities in Australia – it was in the environment for testing purposes,” a Symantec spokeswoman said. “These entities are not necessarily Symantec customers, nor do we necessarily host services for them.”

Several federal departments, including infrastructure, industry, human services and finance, confirmed that they do not use Symantec’s CloudSOC services and do not store information with Symantec. But Guardian Australia understands that others queried the “minor” breach with Symantec because they are customers.

The Department of Social Services said it “uses Symantec products including CloudSOC, in line with Australian Cyber Security Centre best practice”.

“The product in question is not used by the department to store customer, or sensitive information.”

In a statement the Department of Infrastructure, Transport, Cities and Regional Development noted the department name referenced in the list was “discontinued in 2013”.

“We have received no notice from Symantec regarding this matter, but we will make contact in relation to their continued use, if any, of our department name.”

China behind massive Australian National University hack, intelligence officials say Read more

In a statement the Department of Home Affairs said it “does not use the Symantec CloudSOC services, however does use a number of other Symantec products on the department’s internal network, that are managed by departmental staff”.

“The department does not have any sensitive information that is held by Symantec.

“Information held by Symantec would relate to Symantec’s commercial relationship with the department, which is publicly available information.”

The departments of agriculture, education, employment, communication and arts said they used other Symantec products, but not cloud services, and did not store information with Symantec. Education also said it would “make contact in relation to their use of our department name”.

The Australian Privacy Act creates a scheme for compulsory notification when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach.

The Symantec spokeswoman said it treated “any cybersecurity incident – regardless of its scope or severity – with the utmost priority and take great caution in complying with the laws of the countries in which we do business around the world”.

“Consistent with our internal policies and guidance, which align with national and international data protection laws, no sensitive personal data or information has been disclosed that would trigger any regulatory obligations, but Symantec will continue to take appropriate remediation efforts if the situation changes.”