auDA (.au Domain Administation) have allowed thousands of domain holders’ personal information to be harvested through their own WHOIS.
On 6 December 2024, auDA stated:
On 5 December, auDA became aware of a software error in a new .au WHOIS tool on the WHOIS page of auDAs website at https://www.auda.org.au/au-domain-names/au-tools/au-whois/. For compliance and verification purposes, the tool is designed to allow searches of domain name registrations and to display the name and email address of contacts associated with a domain name licence.
The software error meant that it was possible to view additional information within the domain name record (the postal address, phone number and fax number (if available)). While nothing on the page indicated to viewers that they could access this information, it was accessible via developer tools, available within web browsers.
Upon identification of the software error, auDA immediately disabled the tool on the auDA website.
Our investigation of the incident indicates the records of approximately 1,500 domain name registrations may be impacted, including yours.
We apologise for this inadvertent disclosure of your personal information.
auDA then encouraged Australian domain name holders to:
consider updating the contact information for domain name licences you hold to limit the personal information linked to your licence. You can do this by listing role-based contacts (such as CEO, IT Manager), using a business address or PO Box, and using a business phone number rather than a personal phone number.
We asked a few domain investors how they interpreted this and many said it reads as “don’t use your real information, just put IT MANAGER as your name, whack in a cheap registered office post office box as your address, and chuck in a phone number you don’t really use.” If this is what auDA wants everyone to do, why do they need any WHOIS information at all? We guess this also means they have never really cared what people have entered into the Registrant information boxes when registering Australian domain names.
auDA have stated they think this has happened to around 1500 domain names, out of the 3.5 million they manage and charge annual renews for, that generates tens of millions of dollars for the non-profit every year. Many domain investors we spoke to today have received dozens of these “incident notices”, meaning this number is probably much higher than auDA are stating.
This all comes under auDA CEO Rosemary Sinclair preparing to retire from her role in the next few weeks.
As we reported back in April 2024, she is leaving her role as auDA CEO with quite a few blemishes, including never approving a new Registrar and allowing one single private company to hold a monopoly over the daily expired domain name auction process, and here’s yet another blemish. We will be posting an updated version of this article over the coming weeks.
This software error probably existed since the launch of the new auDA website a few weeks ago. Looks to me like failure to test the site properly. auDA IT department and the web developers should be held accountable. The usual lack of transparency from auDA means we have no clue on how many tens of thousands of dollars were paid for the new site which fundamentally is not much different from the old one except built using Node.js
So, This sets the precedent. No domain can be taken from you because of inaccurate information. You have a letter from auDA recommending it!!