Mosman Council has confirmed that an organisation hacked council’s websites and made the content available for download.
In a statement on its website the council said no ratepayer information from Council’s internal systems has been accessed.
The hack was made via an SQL injection exploit on a subsidiary website deployed some years ago and was able to initiate a ‘data dump’ of some of its public-facing websites.
According to the council, information being made available was essentially what constituents were able to access when browsing the sites.
The web editors’ passwords were re-encrypted and changed.
Mosman Council’s web team said via a statement that it had examined the files made available by the hackers.
“The exploit was made on a custom script that managed a small local information project,” the team said.
“The script was deployed in 2003 for this project alone and is not used on any other site or server.
“That script has now been removed from the webserver. The breach is embarrassing and stricter controls are being implemented to ensure
compromised sites cannot access other website content.”
According to the web team it would like to reiterate that the content taken in the hack was basically public information that is being published to the web.
The content editors’ usernames, email addresses and passwords were exposed, but the passwords are encrypted using strong industry grade encryption techniques and have since been changed anyway.
“No breach was made of our internal systems or data,” the team said.
“We publish most of our public-facing websites using open source software, most often Textpattern.
“We choose tools, like Textpattern, that have a focus on security.”
The exploit was in no way related to the services provided by our web host, the web team stated.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter