top of page

Cybersecurity giant Symantec plays down unreported breach of test data

Source: Guardian Australia on 13th June 2019.

Symantec said the 'minor incident' involved an 'isolated, self-enclosed demo lab in Australia – not connected to Symantec’s corporate network – used to demonstrate various Symantec security solutions and how they work together”.

According to the Guardian report, the hacker extracted a list of purported clients of Symantec’s CloudSOC services, account managers and account numbers. Symantec, however, insists data contained in the system were "dummy e-mails and a small number of low-level and non-sensitive files for demonstration purposes in a demo lab not used for production purposes".

Guardian in its report, claimed that it have seen the list that apparently has clients such as the Australian federal police, the big four banks, insurers, universities, retailers and departments in the New South Wales and federal public service. Symantec however, responded to that is an old list of some of the largest public and private entities in Australia – it was in the environment for testing purposes and the entities are not necessarily Symantec customers.

Even though the Australian Privacy Act creates a scheme for compulsory notification when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach, Symantec said it did not disclosed the incident because they concluded that "no sensitive personal data was hosted in or extracted from this demo lab, nor were Symantec’s corporate network, email accounts, products or solutions compromised”.

In cases like this where the 'protector' who is supposed to protect others are compromised, do the public just take their confirmation that no data were compromised? Shouldn't it be more than just a standard response to the general public? What if the network in those organisations that are on the list are compromised later? Whose responsibility is it? The organisations themselves or Symantec? Or it could be another - you say I say type of blame game? Detail proof as to whether those data contained in the system were really  “dummy e-mails and a small number of low-level and non-sensitive files for demonstration purposes” in a demo lab“ not used for production purposes will put any doubts to rest.

Symantec provides cybersecurity software and services and is a Fortune 500 company and a member of the S&P 500 stock-market index. And the investing public that invested into the organisation expects clarity in their explanation.


bottom of page