Australian Customs portal exposes data

Computerworld Australia - SYDNEY -- The Australian Customs Service has admitted that some users have been able to access and view other users' import documentation under the latest phase of its beleaguered new Integrated Cargo System, despite security assessment under the Defense Signals Directorate's I-RAP (Infosec-Registered Assessor Program).
ICS Imports is the final and largest component of the Customs Services' decade-long, $150 million overhaul of its cargo processing systems. It went live last week.
A Web-based transactional portal running into IBM zSeries mainframes with PKI certificates for authentication, the ICS processes Customs clearances for cargo entering and leaving Australia, with customers required by law to use the system.
ICS Imports, and its Customs Interactive front end, also replaces the Compile sea cargo system which was largely based on hardwired, electronic data interchange (EDI) terminals.
Angry users contacted Computerworld Australia complaining they have been able to view sensitive details of each other's import data, with one user claiming to have seen data on imports from a car manufacturer.
Asking not to be named for legal reasons, one Customs customer described the incident as "a major compromise." He added that he expected users to berate Customs Minister Chris Ellison and threaten to sue his agency in the event sensitive commercial information is leaked as a result of sloppy security.
"This is really not good at all," the source said.
Customs CIO Murray Harrison said he was aware of some "very isolated cases" where customers had seen each other's data. However, he denied sensitive commercial information had been compromised.
"We understand there was an issue, but the fix is in. There is no general issue that people can see each other's data," he said.
Conceding ICS imports had been assessed in line with I-RAP security standards, Harrison said the problem had been fixed and that an investigation was under way as to how the problem arose.
The Customs' agency's admission that users can see each other's details adds an ironic twist to a week of bitter complaints from customs brokers and freight forwarders who struggled to clear containers through the new system, because of strict new data hygiene requirements.
Thousands of containers are stranded at Australian ports after the new system started automatically rejecting en masse electronic clearance requests generated by shippers because of poor data quality.
While the Customs department has spent the last two years warning industry that its new system will automatically reject any numerical variation in electronic clearance documentation, it appears both the agency and industry grossly underestimated how strict new data-hygiene