Home affairs data breach exposes data of 700,000

May 4, 2020 |

Another depressingly familiar data breach involving the Federal Government’s handling of personal information.  This time the Guardian reports the breach involving access to personal details of 774,000 migrants and applicants.  In this case the breach involved the inadvertent display through the SkillsSelect platform of those who expressed an interest in migrating to Australia.  The defect in the platform’s operation permits someone accessing details of a persons age, qualifications and marital status as well as other information. 

What is interesting is that the information dates back to 2014.  According to the Guardian story expressions of interest are stored for 2 years.  Yet the database includes information stretching back 6 years.  That in itself is a concern. 

It will be interesting to see if Home Affairs reports the data breach.  Unfortunately the poor development of these platforms are a chronic problem.  What typically occurs is the platform/portal is established with much fanfare.  And in the main they are very useful.  What happens much less frequently is the testing of the security and auditing of security measures. That is far less interesting and adds to the cost of the project.  But like with all safety devices in the non cyber world, it is an important feature of any structure. 

The article provides:

Privacy experts have blasted the home affairs department for a data breach revealing the personal details of 774,000 migrants and people aspiring to migrate to Australia, including partial names and the outcome of applications.

At a time the federal government is asking Australians to trust the security of data collected by its Covid-Safe contact tracing app, privacy experts are appalled by the breach, which they say is just the latest in a long line of cybersecurity blunders.

The department’s SkillsSelect platform, hosted by the employment department, invites skilled workers and business people to express an interest in migrating to Australia.

Expressions of interest are stored for two years and displayed on a publicly available app, advertised on the home affairs website, allowing them to receive invitations for skilled work visas.

With just two clicks, users of the app can view a range of fields including the applicants’ “ADUserID”, a unique identifier composed of partial name information and numbers.

Searches by Guardian Australia revealed the public database contained 774,326 unique ADUserIDs and 189,426 completed expressions of interest, searchable as far back as 2014.

Other information available includes the applicants’ birth country, age, qualifications, marital status and the outcome of the applications.

By applying multiple filters, a user could narrow down an expression of interest to a single entry, revealing the other details of the applicant.

Monique Mann, an Australian Privacy Foundation board member, told Guardian Australia the breach was “very serious … especially at a time where the Australian government is expecting trust”.

Mann said the information was “comprehensive” and it was “absolutely ludicrous” after academic work by Vanessa Teague and others on the re-identification of health data that the department would make available “information that doesn’t even need to be re-identified, it is contractions of people’s names”.

Mann accused the federal government of a “consistently poor track record that shows that we cannot trust them with our personal information” – citing “blunders” including the My Health Record, robodebt and 2016 census.

Teague, privacy academic and chief executive of Thinking Cybersecurity, said the presence of ADUserIDs “looks like a stuff-up”.

“It certainly looks like if you had a hypothesis about who had applied you could guess their UserID,” she said.

“If you can use this to pin down a specific person that you’re thinking about and from that understand what they had entered into certain categories, then that is a way to extract information you might not already have known.”

When Guardian Australia contacted the home affairs department, responsible for SkillsSelect, and the employment department, which hosts the app on its domain, the platform was taken offline. It is “currently undergoing maintenance”.

Mann said it was a further concern the department had not identified the breach itself.

“What processes of auditing and oversight are occurring within department of home affairs?

“This department is responsible for policing, border protection and intelligence. You would expect a greater level of information security than this.”

Anna Johnston, the principal of Salinger Privacy, said Australia’s breach notification scheme requires Australian government agencies to notify the privacy commissioner and affected individuals, of any data breach which is “likely to result in serious harm”.

“A failure to notify an eligible data breach can be grounds for a person to make a complaint or for the [office of the information commissioner] to issue a penalty,” she said.

The employment department said it merely “supports [the department of home affairs] by delivering the IT solutions for this program”.

“In line with the Australian government public data policy statement, [the departments] collaborated in early 2020 to make available a report which informs the public about the take-up and general characteristics of applications received through the SkillSelect program.

“This report does not display any personal information and focuses primarily on the number of applications received by each occupation code and geographic region.”



Leave a Reply

Verified by MonsterInsights