Cop bungle exposes bank files

June 26, 2006

By Natalie O'Brien and Michael McKinnon, The Australian,10117,19589797-29277,00.html

The banking details of thousands of Australians have been revealed and an international police investigation jeopardised in a bungle by Australia's peak internet crime-fighting agency. The details of 3500 customers from 18 banks, including names and account numbers, were lost when a classified computer dossier on Russian mafia "phishing" scams was misplaced by the Australian High Tech Crime Centre in April last year.

Inquiries by The Australian have revealed a police officer with the AHTCC lost a memory stick - a tiny disc-like device for storing information - containing the dossier, between Sydney and London.

The blunder has embarrassed the AHTCC, the law enforcement agency charged with investigating the burgeoning online crime wave in Australia.

It threatens to reveal details of police inquiries into the organised crime networks operating in three countries, including Latvia and Estonia.

A number of suspects in Australia have been arrested, but a string of others were still being hunted by police. No arrests have been made since the memory stick was lost.

The bungle comes at a time when eastern European crime gangs, including the Russian mafia, have become a growing threat in Australia with increasingly sophisticated phishing scams, which use emails purporting to be from a bank or a legitimate business asking recipients for confidential material.

Police were in the middle of the investigation when the officer lost the classified information while travelling to London to brief overseas police forces.

The loss of the computer files sparked an exhaustive and ultimately unsuccessful search by Australian Federal Police officers of hotels and airports in Sydney, Singapore and London.

But the bank customers, who had already fallen victim to the crime gangs by providing banking details to bogus email requests, were never told their information had been exposed.

Although some of the banks wanted to inform their customers about the potential breach of their privacy, The Australian understands they were persuaded by the AHTCC not to go public.

AHTCC director Kevin Zuccato said the body did not want to "alert" criminals to the existence of the memory stick.

Mr Zuccato, a federal agent, said the AHTCC was confident that even if the memory stick fell into the wrong hands, there was not enough personal information to enable any further frauds.

He said the accounts of the bank customers who had been targeted by the internet fraud were already under constant surveillance.

"If I thought there was any likelihood of further fraud on the bank customers, we would have told them immediately," Mr Zuccato said. The AHTCC was set up as the top national agency to fight hi-tech crime.

Hosted by the AFP, it is staffed by officers from all Australian state and territory police forces and the big four banks, who work together to fight cyber-crime.

It investigates cyber attacks on the national information and infrastructure networks and in 2004 co-ordinated the nation's biggest crackdown on internet child pornography. Operation Auxin saw the arrests of hundreds of people suspected of accessing child porn online.

The AHTCC's joint banking and finance sector investigation had compiled a dossier on the phishing scams, which included the names of witnesses and suspects in Australia and Eastern Europe and details of the 5600 fraudulent transactions perpetrated on the bank customers' accounts.

Two-thirds of the bank customers had their name, post code and banking institution recorded on the memory stick. The rest had their bank accounts and bank branch numbers as well.

The memory stick was not protected by a password or encryption and the information stored could be accessed by plugging it into a computer.

The police officer who lost the memory stick had broken several rules about transporting classified information.

The unnamed officer not only incorrectly classified the information, he stored it on a memory stick that already contained unrelated but secure information about the AHTCC.

[an error occurred while processing this directive]