Potential Data Breach Handled Incorrectly
Reported At: Saturday, May 9, 2020
Resolved At: Monday, January 1, 0001
Case Number: OPS-69547, CFS-8301
Status: Unresolved

Timeline

  • 2020/05/09: Discussion about a S3 bucket starts circulating in the community about an Amazon S3 bucket that files named "CovidSafeUserData". Reported to ASD.Assist@defense.gov.au, support@covidsafe.gov.au.
  • 2020/05/12: support@covidsafe.gov.au (the designated security contact address) responded to the matter incorrectly and directed Geoff where he could download the source code of the application.

Recommended Next Steps

  • Separate customer support and security reporting channels. Establish a proper bug bounty.