IBM makes meek apology for Oz #CensusFail, offers no fail detail

Australian PM and sources say Big Blue skipped on DoS protection

IBM has finally broken its silence about the failure of Australia's online census, but only with meaningless PR blather that leaves the cause of the mess a mystery.

Australians were supposed to complete their census forms online on Tuesday evening, but the site crashed, leading to allegations that offshore hackers had staged a denial of service attack. Wild theories suggested Chinese swimming fans were behind the crash, as an Australian Olympian had trash-talked a Chinese rival's past doping ban.

Whatever the cause, Australia's prime minister Malcolm Turnbull today declared IBM has very big issues to address. Turnbull's opinion is founded on his confirmation the census site was hit by a denial of service (DoS) attack but lacked proper protection against that eminently foreseeable form of attack.

The Register has been asking IBM for comment since 9:00pm on Tuesday evening. Big Blue finally cobbled the following together in the last hour:

We genuinely regret the inconvenience that has occurred.  We want to thank the Australian Bureau of Statistics, the Australian Signal Directorate and [Australian cyber-security chief] Alastair MacGibbon for their continued support. IBM’s priority over the last two days was to work with the ABS to restore the Census site. We are committed to our role in the delivery of this project. Continuing to maintain the privacy and security of personal information is paramount. The Australian Signals Directorate has confirmed no data was compromised. Our cyber-security experts are partnering with national intelligence agencies to ensure the ongoing integrity of the site.

Which goes precisely no distance towards answering the many questions The Register has put to IBM about the network configuration employed for the census site, bandwidth provisioned, defences arrayed against attackers and number of servers dedicated to the task.

In the absence of any useful information from Big Blue, we offer our story from yesterday in which networking professionals told us they could see no evidence of a DoS attack.

Our sources' assessment chimes with a new theory from friend of The Reg and security podcaster Patrick Gray, who at his Risky Business site has offered a we-understand-to-be-well-informed theory that IBM and the ABS decided that geo-blocking alone would protect the census from a DoS and therefore chose not to use a dedicated DoS-buster.

The theory continues that this was then revealed as folly when an attack from inside Australia hit the site, causing a router to fall over. Later in the day, Gray suggests, alerts appeared hinting at possible data exfiltration.

At which point the Bureau and IBM shut down the census and unleashed a political sh*tstorm as Australia's government tried to explain how a AU$400m exercise already dogged by privacy concerns had descended into expensive farce.

The census site was restored to service nearly 48 hours after being taken out of service. Completing the census is compulsory, but many among Vulture South's friends and acquaintances intend to use the outage as a way to claim completion without doing so as a salve for their privacy concerns. ®

Sponsored: Detecting cyber attacks as a small to medium business


Biting the hand that feeds IT © 1998–2020