The Supreme Court of Victoria has ruled that the Australian Domain Name Administrator (auDA) acted correctly in its decision to terminate Australian Style Pty Ltd (which is owned by Nicholas Bolton and traded as Bottle Domains) registrar accreditation.
In February 2009, auDA was notified by the Australian Federal Police that there had been a security incident which affected customers of Bottle Domains.
The decision by auDA to terminate Bottle Domains’ auDA accreditation as a registrar followed this security incident that may have resulted in the account information of Bottle Domains’ registrants being accessed by third parties.
auDA discovered that Bottle Domains was the subject of a similar security breach in April 2007, which it believes the failure by Bottle Domains to report this breach may have caused or contributed to the incident this year.
The failure by Bottle Domains to notify auDA of the security breach in 2007, was a breach of its obligations under its Registrar Agreement to auDA, and consequently resulted in auDa’s termination of Bottle Domains’ accreditation as a registrar.
auDA has since discovered that Bottle Domains was the subject of an earlier security incident in April 2007, which auDA believes may have caused or contributed to the security incident in February 2009.
Bottle Domains failed to notify auDA at the time of the April 2007 security incident, which was a breach of its obligations under the Registrar Agreement.
“auDA takes security issues very seriously,” said auDA CEO, Chris Disspain in a media release. “In our view, Bottle Domains’ failure to deal properly with the security incident in April 2007 demonstrated an alarming disregard of the potential risks to its own customers, and to the overall stability and integrity of the Australian DNS.”
“Given the seriousness of the matter, it is appropriate that auDA terminate Bottle Domains’ registrar accreditation.”
Information provided to auDA by Bottle Domains in regard to the April 2007 incident revealed that it did not reset customer passwords or alert its customers to the possibility that their account information had been accessed by third parties. Bottle Domains also failed to conduct an independent security audit to verify that the security vulnerability had been fixed, and that there was no other unauthorised access to its systems.
Australian Style Pty Ltd claims that auDA was not notified of the 2007 security incident because the company did not consider this to be a breach. It believed that no registrant information had been compromised and that the breach was engaged due to software testing the of the system’s vulnerabilities. Nonetheless the Supreme Court of Victoria refuted these claims, ruling that what happened in 2007 should be classed as a breach.
“It is not to the point that Mr Bolton was informed that this unauthorised access was engaged in for an innocent purpose (to test the vulnerability of the Australian Style system) without any private information being obtained. The security breach occurred when the unauthorised PHP injection was performed,” said Justice Hargrave.
The Supreme Court of Victoria decided that Australian Style had therefore gone against the registrar agreement by not notifying auDA of the problem. In handing down his judgment, Justice Hargrave stated that Bottle Domain’s failure to report this security breach prevented auDA from performing its regulatory role under the agreement, contributing to the further breach this year.
Bottle Domains was also found to be in breach of its registrar agreement for misleading auDA when it sent out e-mails to registrants regarding the 2009 security breach, with Justice Hargrave believing that this was an attempt to play down the severity of the situation.
“Mr Bolton’s conduct following the 2009 security breach…preferred the commercial interests of Australian Style to the legitimate interests of registrants who may have been affected,” Justice Hargrave stated.
“There was nothing unreasonable about [auDA’s] decision to terminate the agreement.” Final orders will be made by the Supreme Court of Victoria on 30 September, 2009.
Follow GoodGearGuide on Twitter: @Goodgearguide