Website content breach
Mosman Council is aware that an organisation has hacked Council’s websites and is making that content available for download.
However, no ratepayer information from Council’s internal systems has been accessed.
The hack was made via an SQL injection exploit on a subsidiary website deployed some years ago. The hack was able to initiate a ‘data dump’ of some of our public-facing websites. The information being made available is essentially what you are able to access when browsing our websites. The web editors’ passwords are encrypted, and are now being changed.
There has been no unauthorised access to Council’s internal systems.
Update – Wed 29 June
A statement from Mosman Council’s webteam:
We have examined the files made available by the hackers.
The exploit was made on a custom script that managed a small local information project. The script was deployed in 2003 for this project alone and is not used on any other site or server. That script has now been removed from the webserver. The breach is embarrassing and stricter controls are being implemented to ensure compromised sites cannot access other website content.
We would like to reiterate that the content taken in the hack is public information that is already being published to the web. The content editors’ usernames, email addresses and passwords were exposed, but the passwords are encrypted using strong industry grade encryption techniques and have since been changed anyway.
No breach was made of our internal systems or data.
We publish most of our public-facing websites using open source software, most often Textpattern. This allows us to publish quickly and cost-effectively. We choose tools, like Textpattern, that have a focus on security. We regularly update this software and the server environment. The exploit did not breach these systems. The exploit was in no way related to the services provided by our web host.
We appreciate the concern expressed regarding this incident and the advice received from security professionals and our web host.
You don’t need to hack our website to get our data.