Significant data breach at Australian Immigration Department

February 19, 2014 |

The Guardian in Asylum seekers’ identities revealed in Immigration Department data lapse reports on the release of 10,000 adults and children by the Immigration and Border Protection and describes it as one of the most serious privacy breaches in Australia’s History.  That represents details of about a third of all asylum seekers.  By any measure it is an extraordinary lapse. It will be interesting to see how the Privacy Commissioner.  responds.  Quickly and effectively would be a good start especially as the Department acknowledged the breach. Put another way, a failure to respond, investigate and provide a report of findings made would be extremely disappointing. An abrogation of responsibilty.

The article provides:

The personal details of a third of all asylum seekers held in Australia – almost 10,000 adults and children – have been inadvertently released by the Department of Immigration and Border Protection in one of the most serious privacy breaches in Australia’s history.

A vast database containing the full names, nationalities, location, arrival date and boat arrival information was revealed on the department’s website, raising serious concerns that thousands of asylum seekers have had confidential details made public.

Every single person held in a mainland detention facility and on Christmas Island has been identified in the database, as well as several thousand who are living in the community under the community detention program. A large number of children have been identified in the release, which also lists whether asylum seekers are part of family groups.

The breach raises serious questions about whether those identified could be placed at risk of retribution if they are returned to their countries of origin.

The disclosure of the database is a major embarrassment for the federal government, which has adopted a policy of extreme secrecy on asylum-seeker issues.

The asylum seekers named, range in age from newborns to people over 80. They come from countries including Sri Lanka, Afghanistan, Iran and Syria and arrived in Australia as late as September. Some have been in detention for more than 1000 days.

Guardian Australia has chosen not to identify the location of the data and made the department aware of the breach before publication.

The Department of Immigration has released a statement saying the information was never intended to be in the public domain.

“The department acknowledges that the file was vulnerable to unauthorised access. The department is investigating how this occurred to ensure that it does not happen again,” it said.

The department is also likely to have breached Australia’s privacy laws, which places limits on the disclosure of personal information held by government entities. The information privacy principles state that government agencies must ensure that records are protected “by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure”.

At a news conference last November, the immigration minister, Scott Morrison, outlined the government’s responsibility to protect the identities of asylum seekers in its care.

“What the Australian government has an obligation to do, though, is ensure that we take all steps necessary so as not to violate their identity,” he said.

“Now, it is important that people who are making claims about asylum can do so in a discreet way and a private way. And we need to take all reasonable steps under our duty of care to ensure that we don’t expose people to that situation.”

Both the current and previous governments have said the secrecy surrounding Australian detention facilities is necessary to protect asylum seekers’ privacy.

When talking about the restrictions on media access to detention facilities in a November 2012 forum at the Australian Centre of Independent Journalism, the former head of communications at the Immigration Department, Sandi Logan, warned that identifying asylum seekers could lead to more claims succeeding because their identity had been compromised. These are known as “sur place” claims.

“What the end result could be is someone who is not a refugee, does not engage our obligations, winning on the grounds of sur place,” he said.

Logan said the limitations on identifying asylum seekers and preventing access to detention centres was “as much a protection for the department as it is also for the client.”

 Itnews has picked the story up with considerable more recent details in Immigration dept confirms asylum seeker data breach.

It provides:

The Department of Immigration and Border Protection (DIPB) has admitted to inadvertently leaking the personal details of close to 10,000 asylum seekers housed in Australia via its website.

News of the leak was broken today by The Guardian, which reported the database contained full names, nationalities and boat arrival dates and information of all individuals held on a mainland detention facility and on Christmas Island.

In a statement the DIPB confirmed the data breach and said it has taken the information offline.

“The department acknowledges that the file was vulnerable to unauthorised access,” a spokesperson said.

“The file has been removed and the department is investigating how this occurred to ensure that it does not happen again.

“This information was never intended to be in the public domain.”

The department did not clarify whether the data was accessed by other sources.

The data involved in the breach equates to a third of all asylum seekers housed in Australia, according to The Guardian.

Opposition immigration spokesman Richard Marles said the leak appeared to be “one of the most significant breaches of privacy in Australia’s history” and called it “ineptitude of the greatest degree”.

“This is a government with a culture of secrecy but it is utterly unable to manage secrecy,” Marles said.

“This is a government which refuses to put information into the public domain which should be in the public domain, but which [takes] private information which should be nowhere near the public domain, [and] makes it public.

“We need to understand how this happened, and there are serious questions that need to be answered by the government in relation to this.”

Greens Senator Sarah Hanson-Young said the breach made a “mockery” of Prime Minister Tony Abbott’s “obsession with secrecy”. 

“[Immigration minister Scott Morrison] needs to clarify how this occurred, how he will stop it from happening again and how he will ensure the the thousands of asylum seekers whose lives have been put at risk will now be protected because of this huge security breach,” she said.

How did it happen?

Director of security firm Threat Intelligence Ty Miller said the breach may have occurred as a result of a failure in access controls, but said the data should “absolutely not” have been on the department’s web servers in the first place.

“It’s actually more common than you would think. Access controls are one of the most common and significant flaws within web applications and during penetration testing we find these things all the time,” he told iTnews.

“A lot of organisations rely on you not knowing that these files are sitting there, there are a lot of sites that have backup of their databases or source code, and are named things that you may not necessarily guess, but they are accessible.”

The Department has not yet responded to request for comment on whether the files in question had been cached – a situation Miller described as the “worst case scenario”.

He said such data should typically not be connected to public systems and should be stored in a database with restricted access, with sensitive data also encrypted.



Leave a Reply