Agents working for the Australian Federal Police have their personal information exposed in Colombian data leak

October 17, 2022 |

One of the most challenging issues for any organisation is securing information they have collected which has been provided to a third party.  It makes financial sense for data to be processed overseas and call centres for Australian companies on the subcontinent and Asia are ubiquitous.  Under the Australian Privacy Principle 8, Cross Border disclosure of personal information, organisations covered by the Privacy Act must take “reasonable steps” to ensure that personal information disclosed to overseas entities do not breach the Australian Privacy Principles. More particularly an organisation or government agency that does disclose personal information is liable for the breach of the Australian Privacy Principles by an overseas entity handling that information.

The Australian Federal Police is an APP entity under the Act.

It appears that information about agents engaged by the Australian Federal Police overseas, have been stolen from the Colombian Government in a cyber attack.  That information includes the identities of the agents. Given the murder rate in Colombia is three times that of the United States and drug cartels still operate in that part of Latin America the safety of those agents is more important that a possible breach of the Privacy Act.  There would be a real issue about whether there was a breach of the Privacy Act in any event.  The exemptions for law enforcement are extensive and the facts here are thin on the ground.

The article provides:

Identities of secret agents working for the Australian Federal Police (AFP) have been exposed after hackers leaked documents stolen from the Colombian government.

The leak comes from a hacktivist group called Guacamaya and includes more than five terabytes of classified data, including emails, documents, and methods AFP agents were using to stop drug cartels from running their business in Australia.

Details exposed this way are from 35 AFP operations, some of them still active, and also include surveillance reports from agents, phone tap recordings, and payroll data for Colombian officers.

The AFP is not the only law enforcement agency collaborating with the Colombian government so police agencies from other countries are likely to be affected.

AFP confirmed the exposure to ‘The Sydney Morning Herald’ sharing the following statement:

The AFP is concerned about possible breaches of operational security as a consequence of this data compromise.

The AFP is working with our partners in impacted regions to mitigate any potential threats to the safety of people, or ongoing investigations.

Guacamaya hackers

Guacamaya describes itself as a hacktivist group fighting against repressive and corrupt regimes in Latin America.

In September, Guacamaya announced they had victimized multiple Latin American state, military, and law enforcement agencies and shared the data with a whistleblower news site.

The site shared data samples with the wider public and provided the entire collection only to journalists. However, there is no way to verify if the hackers distributed the leak with other parties.

Among the victims are the Chilean Armed Forces, the Peruvian Army, the Joint Command of the Armed Forces of Peru, the Armed Forces of El Salvador, the National Civil Police of El Salvador, the Secretariat of National Defense of Mexico, and the General Command of the Military Forces of Colombia.

The hack that compromised AFP targeted the Office of the Attorney General of Colombia, an AFP partner that enabled carrying out undercover operations in Australia to fight drug trafficking and importation channels in the country.

Leave a Reply