Telstra has revealed a major security vulnerability at its newly acquired Pacnet business, with intruders gaining complete access to the corporate network.
The telco today revealed that the vulnerability had enabled "third-party access to their corporate IT network", potentially impacting thousands of Pacnet's customers, which include government and enterprise clients.
The telco would not reveal the number of customers affected, however, at the time of the acquisition announcement, it revealed Pacnet would bring 2400 enterprise customers and 220 retail and wholesale partners, along with Pacnet's extensive submarine cable network, 29 data centres and 109 points of presence.
Pacnet had rectified the vulnerability on 3 April then revealed the issue to Telstra "just after" the $857 million sale was settled on 16 April.
“To protect against further activity we rectified the security vulnerabilities that allowed the unauthorised access. We have also put in place additional monitoring and incident response capabilities that we routinely apply to all of our networks," said Brendon Riley, Telstra's group executive of global enterprise services.
"We are confident that the environment is secure, we haven't uncovered anything untoward but we have to be very open that that is possibility and we have to be ready to deal with that," he added.
The attacker gained access to the Pacnet corporate network through an SQL injection on a web application server, said Telstra CISO Mike Burgess.
Telstra has revealed that the attackers had complete access to the Pacnet network. While it has "no evidence that data has been taken from the Pacnet network", nor could the telco advise whether data had been leaked.
Riley stressed: "The Pacnet corporate network is not connected to the Telstra network not evidence of issues with our networks in Australia or around the world."
Telstra started advising Pacnet customers about the breach in the early hours of this morning, before inviting Australian media to a conference call.
Telstra and Pacnet first announced the tie-up in late December before settling in April.
Asked why Pacnet had not informed Telstra about the problem sooner, Riley said that during due diligence between December and February "we were still competitors, technically".
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
