13 June 2014

Immigration Data Breach Report

The Department of Immigration & Border Protection (DIBP) has released an edited report by KPMG regarding the breach of sensitive information noted earlier this year and reflected in recent judgments.

The report [PDF] appears in a format apparently aimed at inhibiting copying. Alas, if only the Department had taken similar care regarding safeguarding of information about vulnerable people.

KPMG - somewhat at odds with recent statements by the Department - indicates that  the breached document was downloaded 123 times “from multiple sources” with 104 unique IP addresses. The “potential data access and distribution is widespread”, with scope for dissemination to readers who might not have the best interests of the refugees at heart

The report notes confusion and resultant susceptibility to "human error" within DIBP regarding the clearance checks needed for publishing material on the web, with checking of documents involving scrutiny of hardcopy rather than softcopy.

KPMG indicates that
neither the content authors, nor the director of the responsible reporting team” were aware that they were responsible for assuring material was appropriately monitored and controlled for publication on the web. Authors and approvers were generally unaware that the IT security risk which led to this incident, could occur and were therefore not mindful of checking for indicators of this risk
KPMG recommends that DIBP develop procedures for “cleansing” personal data, update review procedures, develop an IT security training program and incorporate privacy training in connection with the Australian Privacy Principles.

The separate review by the OAIC is apparently still underway.

The data breach of the day meanwhile comes from Optus, which is reported by the SMH to have mistakenly provided Sensis - the White Pages publisher - with the names, mobile numbers and addresses of an undisclosed number of 'silent' customers. The info accordingly appeared in the Sensis online and print directory.

Optus  discovered the problem in April and - of course - " took immediate steps to remove customers’ details from the White Pages online". The telco reportedly began  notifying customers  last week, with a letter  indicating that
Optus can confirm that a system configuration error has resulted in the numbers of some pre-paid mobile and mobile broadband customers being incorrectly listed in the White Pages. 
All necessary steps have been taken to ensure personal information has been removed from online and operator-assisted directory listing services and from all future hard-copy editions of the White Pages.
 Optus is reportedly arranging a free change of mobile number for affected customers. The SMH notes the usual rhetoric -
Optus is focused on making things better for our customers, which means being honest and transparent about our mistakes and fixing them when they occur.
“Optus apologises to all customers who have been affected by this mistake.
Customers who wish to change their number or speak directly with Optus about this matter should contact us ... Monday to Friday 9am-5pm AEST.