Stay sharp people...
 

Airport security card company reveals data hack as AFP investigates - ABC News (Australian Broadcasting Corporation)


Oh dear oh dear.....

Some gems from the article:
That sentence alone from their MD indicates that he just has no idea how sensitive data should be stored securely stored. Websites are just a medium for users to access their data, not the data itself. If hacking a website gives the culprits straightforward access to the data, then these people have no idea what they are doing and shouldn't be processing ASIC applications in the first place!

Why are ASIC applications outsourced anyway? Isn't it only obvious that this is mitigating the standards it strives to achieve?

Now from the following two quotes:
I'd like someone (preferably a CASA statistician – hire one if you haven't yet, and give them a C-level role) to explain to me just to what measure they perceive aviation safety to be affected by such preposterously sloppy work by their contractors.

In my humble view, I feel that aviation is undergoing a much greater safety risk by allowing criminals with shoddy beliefs around airports and airliners that carry passengers in the tens or hundreds at a time than by imposing unaffordable maintenance standards on single engine aircraft, lest they all fall out of the skies (simultaneously).

Statistically it would take 100 to 200 single engine aircraft to crash (with fatalities!) to match the human cost of that of a single airliner with 200 souls, a statistical null-event, even within a whole year.

Last remark: security checks on domestic flights in Australia is a laughable joke (I don't think the wording can be strong enough). There's no ID check, scanners let just about anything go through. The only thing they insist on is that you leave your coffee at the gate to increase their onboard sales.

I recently (as in last 3-4 months) renewed my ASIC with this company. No email correspondence received about the data breach. Should I be worried?

Called them, according to the customer service person on the phone unless you received the email you are not affected. I asked the person if they were certain and she confidently replied yes...

I wonder what proportion of the general adult population have criminal convictions? 2%? 5%? Unless it's 25%+ you'd have to think airports are being actively targeted for the "opportunities" they might provide! And even if these people have no malicious intent, I can't see them being the sorts of people who respect inconvenient rules if they can see a short cut...

The entire ASIC process is a cancerous growth festering on the dying body of GA, I have written on this forum about it before. Why on earth are we putting up with paying for something that costs almost as much as a passport, yet is valid for only 2 years, and a passport is valid for 10!

The only purpose this serves is lining the pockets of some bottom feeders on the gravy train in Merimbula and elsewhere.

The ASIC is but one layer of security in Australia. To not have it would be negligent, given the security situation. It is not a magic bullet. It is just one layer.

It would seem to have realistic conditions attached to it under our circumstances.

I would urge those involved (probably all of us) to hope for the best but prepare for the worst.

Your details including certified copies of documents have probably been sold online. You are now in the gun for identity theft.

It is possible that those who may wish to do harm, now know who has access to sensitive areas/ information/ materials. And where you/ your family lives. This could make you a target for coercion or worse.

You figure it out.

Folks,
I would point out that the company mention is only one of many companies that issue ASIC cards.
As for cards mentioned in the inquiry that had been issued to people with criminal records or "interesting" backgrounds, I am confident in say that it was NOT this company, indeed some of the cases involved docks, not even aviation.
For example, most major airports are ASIC issuers, as are larger airlines.
I have no relationship with this company, I just want to see some balance in the comments.
Tootle pip!!

CASA steered all the ASICs through one issuing body without giving people a list of options of issuing bodies or putting it out to tender. Now these hackers have your ARN as well. Well done, CASA.

Would it though? By all accounts the USA looked into a similar system post 9/11 and didn't go through with it.

Lord knows how many terrorists want to blow up Port Macquarie airport.

I guess the air is different after all in Australia!

Personally I don't think the AFP is up to this one. It is a national security issue. The threat is likely to have come from offshore.

Magnum, the USA came up with the TSA and Air Marshals. Not sure either suit our scenario.

As for crims on airports? GA is a vital part of the local infrastructure.:}

Why? It will make our lives harder.

Ummm - No.
1.Aviation ID exists because CASA made a complete dogs breakfast of its initial attempt issue ASIC Cards. By complete dogs breakfast, I mean unmitigated disaster taking months to issue cards and losing applications, etc.
2. There are many other issuing bodies. But the system is centered around the airlines who issue their own ASIC cards. GA was left out in the cold by CASA and Aviation ID filled the vacuum

100% correct.

After 9/11 both the FAA &CASA looked at aviation security. CASA wrote about a 2 page report and concluded we needed fences at airports, locks on GA aircraft and Aviation ID cards. The FAA wrote about a 50 page document that looked in depth at the risks associated with each of the different segments of GA (private, corporate, charter, training, sport, airshows, aerial agriculture) and concluded that the low risk of GA didn't warrant additional measures except for aerial ag which had some biosecurity concerns.

I read both documents in detail. Unfortunately, they are both long gone from the public websites.

We have ASIC cards because of lack of competence by CASA and the arrogant attitude it has to GA.

Who cares if Aviation ID are making money? The alternative will be more expensive with worse service via CASA. What we really need is a review of the whole security arrangements. Its time to ditch the aircraft locks, security gates and ASIC cards.

Old Akro,

Aivation ID Australia are a private company that were set up, according to their website, "as a service provided to Merimbula Airport in 2005".
Yes CASA made a complete hash of it at first and then outsourced it to this private company that was already doing it, via a direct link from their website. AFAIK without any tender process and certainly without any reference to other issuing bodies, so that most people think this is the only way to get an ASIC. Now this system has been hacked. Not all issuing bodies use online application forms which are vulnerable to hacking.

It is not correct to refer to CASA and aviation security in the same context. CASA has no input whatsoever into the enforcement of the ATSA and ATSR.
As for their relationship with Merimbula. When the ASIC debacle started back in about 2005 most, if not all, security controlled airports were automatically directed to become issuing bodies. That was culled back a few years ago to the relatively modest list that exists today. Merimbula from the outset through Aviation ID Australia set themselves up as a provider to GA. As Old Akro correctly said above, CASA made a complete dogs breakfast of it and although still required by legislation to be an issuing body, the day to day functions of receiving applications and issuing cards is done by AIDA.
I have been told that as a result of this breach the requirements that the Department has put on issuing bodies with regard to auditing of IT systems and gaining accreditation is going to be quite onerous - which is another word for expensive. The hacking appears to have been with the online submission of an applicants data. Many issuing bodies continue to use a manual paper based application process and the only online activity is the submission of the background check through the Departments secure website so unless you applied through AIDA or the other issuing body that was compromised, your information should remain safe.

ASIC is a total waste of our money and a useless document. I am done re proving myself as a non terrorist every two years. Bin the whole system as it protects NO ONE!
The 9/11 culprits were PASSENGERS who had no requirement for ASIC.

I for one don't dispute a lot of the misgivings about ASICs but sadly they are here to stay.