Source of leakage of information about detainees established

June 13, 2014 |

A consistent problem with maintaining appropriate protection of personal information is training staff who handle that  information and maintain information systems, whether on line or in hard copy form.  The Australian Privacy Principles and their guidelines make clear that staff training is an important part of maintaining appropriate data security. Having appropriate anti virus software and appropriate protections in website architecture is important.  But having appropriate and easily understood protocols regarding the accessing, handling and posting of data is critical.  That necessarily involves training and monitoring.

Itnews reports in Review reveals extent of access to leaked Immigration data that the leakage of personal information about individuals held in immigration detention was due to poor data handling practices of staff of the Department of Immigration and Border Protection.  There was no hacking involved and the action seems to have been inadvertent.  That said the leakage was very significant, personal information of 10,000 individuals.  While the data was accessed a little over a 100 times which, relative to other breaches, does not make it a large scale breach, the potential damage remains  significant. The information is sensitive.  The potential for it to be transmitted elsewhere was real.    Screen shots, copying of the data and onforwarding it can magnify the consequences of the original breach.

The article provides:

KPMG blames staff inexperience for breach.

 An independent review into the leak of 10,000 asylum seekers’ personal details in February has found the information was accessed over 100 times, with auditor KPMG placing blame for the breach solely on the Department of Immigration and Border Protection.

Earlier this year the department admitted to inadvertently leaking the names, nationalities and boat arrival information of individuals held in a mainland detention facility and on Christmas Island via a document published on its website.

The immigration department immediately took the vulnerable ‘immigration detention and community statistics summary’ offline once alerted to the breach, but the politically sensitive Microsoft Word file remained available on an unnamed public site for over a week.

The department did not provide detail of the incident in order to contain the damage as much as possible, but appointed KPMG to review and report on the breach in order to avoid similar future events. The Privacy Commissioner has also separately been investigating the leak.

In a report released by the department late yesterday, KPMG revealed that significantly more people accessed the document than previously stated, despite comments by the department late last month that the document had only been downloaded 26 times.

KPMG revealed there had been 123 hits on the file from 104 unique IP addresses, and it was “likely” each address had access to the personal information contained within.

The firm withheld specific information on who had downloaded the documents to protect affected detainees, but said it had been accessed by media organisations, Australian Government agencies, internet proxies, the TOR network and web crawlers.

KPMG found that a number of checks and balances relating to web publishing had not been met during the approvals process for the document, which was conducted by staff inexperienced in what to look out for in terms of IT security, and who focused on the hardcopy version of the document rather than the electronic version.

The auditor said the process had been expedited in order to meet a short deadline, and had been handled by staff members unfamiliar with certain Microsoft Word functions and unaware of IT security risks associated with online publishing.

It recommended a number of fixes to avoid a repeat of the incident, including developing a process to normalise and cleanse data being extracted for analysis in a secure environment; updating online publishing quality assurance checklists; holding online publishing workshops with all those involved in the creation of material that may be published online; and developing an IT security training program for all those handling private or sensitive data.

“The department has taken action to implement the recommendations in that report and ensure that this sort of incident does not happen again. The department deeply regrets inadvertently allowing unauthorised access to personal information,” Immigration said in a statement on its website.

 

One Response to “Source of leakage of information about detainees established”

  1. Source of leakage of information about detainees established | Australian Law Blogs

    […] Source of leakage of information about detainees established […]

Leave a Reply