A Ukrainian cybersecurity firm has discovered an unsecured cache of ABC Commercial files, which it says includes two years of database backups, email addresses and hashed passwords.
The files were found by cybersecurity firm Kromtech on an incorrectly configured internet service.
The company initially attempted to alert the ABC of the data breach on Wednesday.
Kromtech head of communications Bob Diachenko said the firm found the publicly accessible data by accident using a simple search tool.
“We used a public search engine, and this tool allows you to search for any open databases connected to the internet,” Mr Diachenko said.
“So we ran the search … and one of the links that we saw was a link to the commercial department of the ABC.”
Kromtech said the exposed data included 1,800 daily backups of an ABC Commercial database, as well as requests sent by overseas TV producers to the ABC to license its content.
The data was stored on a widely-used commercial cloud service run by internet giant Amazon, called Amazon S3.
An ABC spokesperson said the corporation was notified of “a data exposure” on November 16 and technology teams “moved to solve this issue as soon as they became aware”.
The data is no longer publicly accessible. The ABC’s spokesman was asked how long the files were available and unsecured, but no answer was provided.
Mr Diachenko said anyone could have potential access to the data if they knew — or could guess — the name of the folder in which it was stored.
“It was open to the public, and what is more alarming is that not only public data was there, but also private data, which is not supposed to be under such a configuration,” he said.
“It doesn’t require any password. You just put the link into your browser and you receive access.
“If you’re a malicious person and targeting for example the ABC or any other company, you can simply try to get the most popular extensions used by administrators to … gain access.”
Data leak doesn’t surprise security expert
Breaches of personal data held by corporations or government are increasingly common, and recent laws introduced in Australia compel certain organisations to report them.
According to a 2017 Australian Cyber Security Centre threat report, criminals can use personally identifiable information to “facilitate financial crimes and identity theft”.
“Basic information, such as name, birth date and address, is often enough for criminals to impersonate victims,” the report reads.
The report also warns of inadvertent data exposure via Amazon S3, which is what happened to ABC Commercial.
“Data exposed has included customer names, credentials for internal systems, and network diagrams,” a case study reports.
Troy Hunt, a security researcher who tracks online data breaches, said he was not surprised by news of the ABC breach.
“A lot of the value proposition of the cloud, a lot of the attraction is that it is very cost-effective, it is very easy to access and stand up services,” Mr Hunt said.
“That makes it fantastic for doing good things with, but all of those attributes also make it extremely easy to make one little mistake.
“[This kind of data breach] is not unusual, and the reality of it is the ABC just joins a great big long list of organisations that have done precisely the same thing.”
A spokesperson for the Office of the Australian Information Commissioner said the agency is not investigating the incident.
“This incident is a reminder of how important it is for organisations who use web services like Amazon S3 to check that their security settings are properly configured,” the spokesperson said.