So it appears that First State Super have decided not to prosecute the customer that informed them of a (possibly longstanding?) vulnerability in their website - how kind of them. Of course it did take being lambasted in the media to cause the about face and has resulted in unwanted attention from the privacy commissioner...
And the fallout doesn't end there, as it appears that the company responsible for the (in)security of First State is also responsible for other superannuation websites - including recently being awarded a contact for looking after the security of a Government employee superannuation fund...uh-oh!

In not entirely unrelated news, the SEC in the US has released new guidelines requiring disclosure of InfoSec incidents. While only guidelines at the moment, I think this is a step in the right direction. Even if little else changes, it might give us some better data on the rates of intrusions/incidents in these big companies.