Operation Turton, IBAC’s special report into hacking and misuse of information highlights the overlap of security, corruption and basic issues of privacy and data security. And the inadequacy of Australian privacy regulation
September 25, 2024 |
The Parliament of Victoria tabled a special report by Victoria’s Independent Broad Based Anti Corruption Commission (“IBAC”) titled Operation Turton. It is a report about repeated instances where employees
inappropriately accessed and misused sensitive information at the Metropolitan Fire Brigade (MFB). It has been reported in the Australian and the Age. The investigation concluded in 2021.
The Report clearly goes to the behaviour of individuals and the misuse of private information for improper purposes. But for privacy practitioners it is a useful report to show the need for proper data security practices and training. Fire Rescue Victoria had clear vulnerabilities in its data security which allowed for the breaches that occurred.
In the analog age there was misuse of information contained in documents. Reports and correspondence were copied and leaked. The challenges of controlling information flow grew with the digitisation of documents, the use of emails and means of leaking material. Under privacy legislation in every jurisdiction governments or organisations must maintain adequate data security. That includes password protections and requiring proper authorisation to access certain documents. But every system has vulnerabilities, the prime one being a failure to properly maintain data security standards and check for weaknesses.
The Report:
- identified five separate incidents where MFB information was accessed or disclosed without authorisation, with three incidents involving public servants from MFB’s Information and Communications Services business area.
- found individuals shared sensitive MFB information directly with the United Firefighters Union (UFU) without permission.
- Mr Marshall sought assistance from employees to inappropriately gather sensitive information on internal investigations related to him, executive contracts and another confidential organisational matter.
- identified MFB was operating with significant information security vulnerabilities and under a restrictive agreement with the UFU that impaired MFB’s ability to address issues.
The recommendations include:
Recommendation 1
Fire Rescue Victoria develops clear policies and procedures regarding the matters that may be the
subject of consultation with employees and their representatives at the Consultation Committee,
and in what circumstances Fire Rescue Victoria information may be disclosed to employees and
their representatives to inform that consultation.
Recommendation 2
Fire Rescue Victoria addresses the information and communication technology security vulnerabilities and risks identified in Operation Turton by:
(a) actioning the consolidated findings of the audit and reviews conducted in this area since 2018
(b) engaging an appropriately qualified independent person to review information security infrastructure, policy and procedures to identify any remaining deficiencies against the Victorian Protective Data Security Standards and Framework or any other issues
(c) consulting with the Office of the Victorian Information Commissioner on the adequacy of its information security in line with the Privacy and Data Protection Act 2014 (Vic), including how it is addressing any shortfalls identified in the review recommended above. To support and inform this consultation, FRV must provide the Office of the Victorian Information Commissioner with the full final report of the independent person referred to in Recommendation 2(b).
Recommendation 3
Fire Rescue Victoria reviews and strengthens its policies and procedures for employees on how to
appropriately share information with their unions in line with the enterprise bargaining agreements, the Privacy and Data Protection Act 2014 (Vic) and the Victorian public sector Code of Conduct. Alongside these policies being appropriately enforced, they should also clearly state that noncompliance could lead to disciplinary action being taken, termination of employment or constitute a criminal offence.
The Australian article provides:
Victoria’s anti-corruption watchdog has found emails of Victoria’s fire chiefs were hacked five times and the hackers were public servants “motivated to misuse” the information “to further the interests” of the firefighters union and its state secretary Peter Marshall.
A bombshell report tabled in parliament on Wednesday has finally lift the lid on a marathon top secret inquiry by IBAC – codenamed Operation Turton – into the hacking of internal communications at the then Metropolitan Fire Brigade.
In a foreword to the report, IBAC commissioner Victoria Eliot stated:
“IBAC identified five separate incidents where MFB information was accessed or disclosed without authorisation, with three incidents involving public servants from MFB’s Information and Communications Services business area.
“In incidents that IBAC identified, individuals involved were motivated to misuse MFB information to further the interests of the Victorian branch of the United Firefighters Union (UFU) or its Secretary, Peter Marshall.
“In addition to accessing other employees’ email accounts, IBAC found individuals shared sensitive MFB information directly with the UFU without permission.
“IBAC’s investigation also found that Mr Marshall sought assistance from employees to inappropriately gather sensitive information on internal investigations related to him, executive contracts and another confidential organisational matter. Operation Turton highlights how information misuse can enable misconduct and can be used to advance personal and industrial interests.”
IBAC launched the inquiry after senior MFB managers became suspicious that their emails and other communications were being hacked. The Australian has previously reported that figures familiar with the inquiry that MFB chiefs suspected the email system was compromised to access documents linked to a planned overhaul of the service that was likely to lead to the relocation of fire stations.
Their concerns about the security of the email system were triggered early in 2019 when a PowerPoint presentation detailing the proposed use of fire incident response simulation software was leaked to the government prior to its presentation by fire chiefs.
The software maps incident types, response standards and targets for each incident type, appliances that go to each incident, location of fire stations, the number and type of appliances at each fire station, travel times and rostering patterns.
The PowerPoint presentation, dated March 6, 2019, detailed the services a UK-based software firm, Process Evolution, would provide to help implement a sweeping overhaul mapped out in a risk management report commissioned by then chief officer Dan Stephens.
In 2021, The Australian quoted a source with knowledge of the inquiry saying: “How did (the government) get it because it hadn’t been sent to them? They (MFB management) all believed that their emails were being intercepted.”
A second IBAC probe relating to the fire services — codenamed Operation Richmond — is also continuing under tight secrecy. The inquiry is focused on the 2016 EBA negotiations between the Andrews government and the United Firefighters Union.
The EBA negotiations erupted into a full-blown political scandal after it emerged then premier Daniel Andrews sidelined his emergency services minister, Jane Garrett, to lead the talks including personally meeting with UFU state secretary Peter Marshall.
Despite opposition within his own government to the generous workplace deal, Mr Andrews pushed it through, prompting the resignation of Ms Garrett amid speculation it was payback for union support during the 2014 state election, when Labor regained power.
Mr Andrews and IBAC have refused to confirm or deny that he was privately examined as part of Operation Richmond, but The Australian has confirmed that witnesses were questioned about his conduct in the EBA negotiations.
In its 40-page report, IBAC laid much of the responsibility for the hacking on a desire by staff to help Mr Marshall and the UFU.
“Operation Turton highlights how information misuse can enable misconduct and can be used to advance personal and industrial interests,” the report states.
“It appears these incidents were largely driven by a desire to further the interests of the Victorian Branch of the United Firefighters Union (UFU) or its Secretary, Peter Marshall.
“It was clear these incidents were facilitated by a workplace culture where employees did not trust management and did not believe them to be acting in the best interests of the organisation or its employees.
“In relation to these specific incidents, IBAC heard evidence that some employees were sharing MFB information directly with the Union without authority or the awareness of MFB management.
“One factor in the unauthorised disclosures to the Union was some employees’ belief that eventually the Union would be able to access this information through legitimate means.
The IBAC report found that in May 2019, Mr Marshall disclosed an MFB document to the Emergency Services Minister Lisa Neville “without authority”.
“Mr Marshall had received this document as a result of an unknown MFB employee disclosing it without authority.” the report states.
“According to the CEO’s evidence, they attended a meeting with the Minister and then MFB Board President on 14 March 2019. During this meeting, the Minister presented the CEO with a printed copy of the document, and asked why the software was being considered.
“The CEO told IBAC how, following their explanation to the Minister regarding the software, she said, ‘You can’t have it’. The CEO’s evidence was that they believed Mr Marshall had influenced the Minister before her meeting with the CEO with the intention of stopping MFB purchasing the software.”
The Age article provides:
Victoria United Firefighters Union boss Peter Marshall asked staff at Metropolitan Fire Brigade to gather sensitive information on an investigation into him, executive contracts and other confidential information, a probe by the state’s anti-corruption watchdog has found.
The Independent Broad-based Anti-corruption Commission on Wednesday released its special report titled Operation Turton, an investigation into the unauthorised access and release of sensitive information by staff at the state’s Metropolitan Fire Brigade.
It discovered five separate incidents where MFB information was accessed or disclosed without approval by the organisation and that the staff involved were “motivated to misuse MFB information to further the interests of the Victorian branch of the UFU or its secretary, Peter Marshall”.
IBAC also found that Marshall had “inappropriately” sought assistance from employees to gather information about the investigations into his behaviour, the contracts of senior MFB executives and other confidential details.
The MFB was merged with the paid section of the Country Fire Authority in 2020, forming a new entity called Fire Rescue Victoria.
That three-year process was a bitter political battle, with some volunteers warning they would quit if they were no longer able to attend incidents alongside paid firefighters.
But it was also part of a long-running saga over firefighting in Victoria that plagued the Andrews government since 2016.
Volunteer anger over a new workplace agreement for the CFA’s professional firefighters became an issue in the 2016 federal election.
That same year, the late Jane Garrett sensationally resigned as Victoria’s emergency services minister after then-premier Daniel Andrews sided with the United Firefighters Union in the industrial dispute.