Symantec Breach Exposes Purported Client List, Passwords In Demo Lab: Report

Symantec characterized the breach as a ‘minor incident’ since it involved a self-enclosed demo lab in Australia that wasn't connected to the company’s corporate network.

A February data breach at Symantec gave hackers access to account numbers, passwords, and a purported list of prominent Australian clients, according to a Guardian Australia report.

The Mountain View, Calif.-based platform security vendor characterized the breach as a "minor incident" since it involved a self-enclosed demo lab in Australia that wasn't connected to Symantec's corporate network. Symantec told Guardian Australia it didn't report the breach since the demo lab didn't host or have any sensitive personal data extracted from it.

The Australian Privacy Act requires notification when a data breach is likely to result in serious harm to individuals whose personal information is exposed. Symantec, however, told Guardian Australia that no information disclosed in the breach would trigger any regulatory obligations.

[Related: 10 Things To Watch For From Symantec's Interim CEO Richard Hill]

The hackers targeted Symantec accounts belonging to several large Australian businesses as well as all major Australian government departments, Guardian Australia reported. The same actor that breached Symantec took credit for stealing information from Australia’s Medicare program that later appeared for sale on the dark web.

The hackers extracted a list of supposed clients of Symantec's CloudSOC CASB (cloud access security broker) services, as well as account managers and account numbers, Guardian Australia said. Symantec said the data in the exposed system included dummy emails and a small number of low-level and non-sensitive files only use for demonstration – and not production – purposes.

"No sensitive personal data was compromised nor were Symantec’s corporate network, email accounts, products or solutions," Symantec told CRN in a statement. "As the world’s largest cyber security company, it is not uncommon for Symantec to be targeted by hackers and other cybercriminals."

The use of “dummy data” is not uncommon, and affords companies the ability to relax security protocols while testing new products, Gizmodo said. Using fake customer information during the testing phase allows developers to share access to their work without fear of leaking sensitive data.

The list of supposed clients included the Australian federal police, major banks, insurers, universities, retailers, and New South Wales and federal government departments, reported Guardian Australia, which had viewed the list.

“This is an old list of some of the largest public and private entities in Australia – it was in the environment for testing purposes,” Symantec told Guardian Australia. “These entities are not necessarily Symantec customers, nor do we necessarily host services for them.”

Australia's Department of Social Services confirmed to Guardian Australia that it uses Symantec products including CloudSOC, but said it doesn't store any customer or sensitive information on Symantec's CASB tool.

The CloudSOC capabilities come from Blue Coat Systems' $280 million of acquisition of cloud startup Elastica in 2015, with Blue Coat itself being acquired a year later by Symantec for $4.65 billion. Symantec's stock was up $0.39 (2.03 percent) to $19.58 in trading Thursday.

Several Australian government departments – including home affairs, agriculture, education, employment, communication and arts – told Guardian Australia they use other Symantec products, but not specifically its CloudSOC CASB tool. Home Affairs added that Symantec doesn't hold any sensitive departmental information, according to the report.

And other Australian federal departments – including infrastructure, industry, human services and finance – said they neither use Symantec's CloudSOC services nor store any information with Symantec. Australia's Department of Infrastructure, Transport, Cities and Regional Development, meanwhile, said the department name referenced in the stolen list was "discontinued in 2013."

The data breach prolongs a turbulent period at Symantec, which has included an internal accounting probe, activist investor unrest and enterprise sales struggles. The company has also suffered a brain drain, with CEO Greg Clark, President and COO Michael Fey, EVP and CFO Nicholas Noviello, CMO Michael Williams and Brandon Rogers, SVP of the go-to-market team, all departing since November.