A spate of leaks (read data breaches) from Governments

May 29, 2019 |

Leaks from government are as old as government itself.  Leaks serve a myriad of purposes; forshadowing a decision, undermining opponents or their plans, acting as a stalking horse to gauge public opinion and being a straw man that can be be used to kill off a measure that is uncomfortably close to being announced, just to mention a few.  Leaking of plans, discussions, decisions made or not made and strategies is rarely seen as edifying, and often treated as something a little icky but it is universally seen as a legitimate tool in the black bag of political tricks. It is also often times quite effective, killing off proposals and sometimes political careers. Leaking personal information is something else however. Which is why yesterday’s story about the leak of motorists details being linked to a New South Wales Minister’s office is so serious.  The leak was of a spreadsheet containing the personal information of hundreds of motorists which found its way into the hands of a journalist. The genesis of the breach is depressingly common, a departmental officer sending an attachment of calls to a hotline. The document contained personal information of motorists including that of the soon to be  opposition leader, Michael Daley, and his wife.  When the Department realised the breach it did the right thing and advised the Privacy Commissioner but before then the document had been given to a journalist. The transmission of the document to the journalist was for political purposes.  It is unusual, and heartening, that the investigation has kept running and been effective in identifying the likely source of the leak.  Often these investigations splutter out or have a blanket thrown over them. In this case the likely suspects were limited and the use of the data was particularly ham fisted and obvious.  It was a dirty trick of a fairly unsophisticated nature.   No doubt there are more chapters in this story.  The story provides:

A Berejiklian government minister’s office was told to destroy a departmental document containing the private details of hundreds of motorists, including then NSW opposition leader Michael Daley, but the spreadsheet ended up in the hands of a journalist.

A police investigation into the leak of the document’s details, which surfaced during the NSW election campaign in March, has interviewed 10 staffers now working in the office of Customer Service Minister Victor Dominello.

The Australian can reveal the state’s Privacy Commission has also reviewed the matter after Mr Dominello’s department referred the breach to it. The saga began last year when Mr Dominello’s offic­e asked the government department Revenue NSW for a breakdown of the number of calls to a special hotline MPs can use for their constituents to help them with driving offences.

The department accidentally sent a tab showing private details of many motorists, including Mr Daley and his wife. The document also showed Mr Daley’s electorate staff rang to tell the department Mr Daley’s wife, Christina, was driving his car when a traffic offence was incurred.

Several months later, shortly after Mr Daley became Labor leader in October, a departmental liaison officer for Mr Dominello asked for more information on the document from the department. At this point, the Commissioner of Revenue NSW, Stephen Brady, is said to have realised the distribution of the document, containing hundreds of motorists’ private information, was a privacy breach. He ordered it be referred to the Privacy Commissioner and told Mr Dominello’s office to delete the file. But the document instead found the way into the hands of a newspaper journalist.

Revelations of the breach comes after Mr Dominello, who is close to Premier Gladys Berejik­lian, has been put in charge of all the data for the government in his role as head of the new Customer Service portfolio. At the time of the incident, Mr Dominello was finance minister.

The Australian revealed earlier this month that one of Mr ­Dominello’s staffers, Tom Green, was seconded to the Liberal campaign “dirt unit” to work alongside another government staffer, John Macgowan, during the state election campaign.

Mr Macgowan was named by Labor in parliament this month as the man who distributed the information to a journalist at The Sydney Morning Herald.

He declined to comment at the time.

Mr Brady said yesterday in a statement: “When Revenue NSW became aware of the incident, the Information and Privacy Commission [IPC] was immediately notified.

“The IPC recommended Revenue NSW take the opportunity to review governance arrangements to ensure all staff are aware of their privacy obligations.

“Revenue NSW has complied with this recommendation, reviewing approval procedures and ensuring training on privacy obligations is tracked so that similar incidents do not occur in future.”

In parliament earlier this month, Mr Dominello attempted to laugh off the police probe.

In response to an opposition question, he said: “For the past 24 hours, something has been weighing on my conscience and I have been tossing and turning about whether I need to ­correct the record.

“Yesterday I said it was four years since I was asked a question by the opposition; it was actually five years,” he said, to much laughter from his colleagues.

“But there is a police investi­gation under way: I have directed my staff and my agency to co-­operate with it and I will not be saying anything further.”

Mr Daley, when contacted by The Australian over the matter yesterday, said: “It doesn’t get much more serious that this.

“The private details of thousands of people which are supposed to be guarded by the government and they were released for political purposes.

“I do not intend to let this matter rest.”

Police are expected to refer the matter to the Independent Commission Against Corruption, as they do not have enough evidence to lay a charge.

Mr Dominello responded to The Australian’s questions with a one-line statement yesterday, saying: “I am not in a position to comment on this matter until the police investigation is finalised.”

Without proper training the unauthorised sharing of data can be a real governance problem.  For example it was reported last week that in the United  States a medical system, Tri Health was shared in June 2018 with a student who wasn’t authorised to receive it.  The data included patients’ full names, their dates of birth and cancer diagnosis information.  That has triggered a notification to those whose data was misused.  The notice provides:

TriHealth has recently confirmed that patient data was shared with a student mentee on June 8, 2018 and June 9, 2018 under the leadership of a former TriHealth physician, who was examining patient information for a possible research project. The student mentee was not a TriHealth approved workforce member and, therefore, was not authorized to view the data.

Information shared with the student mentee included first and last names of patients, dates of birth, zip codes, ethnicity, life status (deceased or alive) and cancer diagnosis information. TriHealth is sending letters to inform the 2,433 patients affected by the disclosure.

Social Security numbers, addresses, insurance and financial information were NOT shared. TriHealth is not aware of any further access, disclosure, or use of the affected patients’ medical information. TriHealth recommends that healthcare consumers read their insurance statements and bills to ensure accuracy.

TriHealth takes its patients’ Privacy seriously. TriHealth Compliance Program investigates Privacy concerns by interviewing involved parties and auditing logged access into its electronic medical records. TriHealth Team Members are educated to Privacy policies when they are hired and provided with annual re-education. Employees are held accountable to TriHealth policies and violation results in corrective action, up to and including discharge from employment. This process was followed for the above matter.

What is important to realise is that the most common weakness in any cyber defence are the human operators.  Governments and business do not put enough time, effort and resources into privacy training.  That should be of little surprise given the weak laws and timid regulation of what laws there are.  As the article Cyber attacks by foreign governments, malicious companies and enterprising hackers are on the rise. And the biggest problem is you makes clear, the result is that individuals are the best gateway into a system.

Another serious leak from across the Tasman is the report that New Zealand Treasury was hacked and the Government’s budget was leaked to the opposition a day ahead of it being presented to the Parliament.  That is a massive breach and one that can have significant ramifications for both confidence but also financially.  Early and private warnings of spending and taxation proposals can result in market manipulation to avoid losses or get windfalls.  Not to mention the significant reputational damage to a Government. The article provides:

New Zealand’s Treasury Secretary Gabriel Makhlouf claims the Treasury’s website has been hacked after the opposition National Party claimed to have released details of the country’s national budget.

Mr Makhlouf told NZ radio this morning there had been more than 2000 unauthorised attempts at hacking the website that appeared aimed at Budget-related information.

“We know that over the period of, say, 48 hours, maybe a bit longer, a number of attempts were made to access information that wasn’t ready for public release,” he said.

The leak has caused serious headaches for Jacinda Ardern’s government ahead of their much-touted unveiling tomorrow.

The government had labelled tomorrow’s blueprint as a “Wellbeing Budget”, its second go at the annual books and one that will for the first time explicitly put measures such as child poverty next to the usual economic bottom lines.

International and domestic observers have been keenly waiting to see what this new kind of government accounting will yield.

But the centre-right opposition grabbed the headlines yesterday by releasing what it said were 20 pages of details from the budget it had gained access to ahead of time, covering a range of departments. A few hours later, another release followed.

Nationals leader Simon Bridges insisted the party acted legalling and did not obtain the documents by hacking. However he refused to say how the party had obtained the documents

“We have acted entirely appropriately. We have done nothing illegal,” he told the NZ Herald.

“(Finance Minister) Grant Robertson has been freaking out over this. They are in a frenzy over this… They then decide to lash out. They are going for it… looking for scapegoats, for people to blame.

“The National Party has acted entirely appropriately… and I think Grant Robertson knows that,” Mr Bridges said.

Speaking of the leak itself, he said: “This is unprecedented. I can’t think historically of anything like this. It shows how loose and ­incompetent the government is.”

He wouldn’t say where the numbers came from or even whether they were deliberately leaked, making them difficult to verify. He has, however, used the figures to argue that the government will still be spending up large on areas such as defence and international development assistance, despite what was meant to be a focus on welfare.

The budget is one of the government’s most closely guarded secrets and a leak would be a serious concern

In 1986 New Zealand’s then-finance minister Roger Douglas offered to resign after the ­accounts were sent out early.

Finance Minister Grant Robertson was adamant what’s been shown to the public isn’t the upcoming budget, but admits at least some of it is right.

He also said the biggest parts of the plan were missing from the document and the claims about defence spending were misleading.

“This is not the real budget,” he said.

Leave a Reply

Verified by MonsterInsights