National Anti Corruption Commission uncovers data breach by immigration officer while investigating corruption
July 7, 2025 |
Itnews reports in Home Affairs officer accessed data on “friends and associates” that a former immigration officer accessed restricted data relating to 17 friends and associates 1,164 times in 6 years. These actions were discovered by the National Anti Corruption Commission investigating corrupt, unrelated, practices by this officer. This is a serious failure of data management under the Privacy Act 1988. If there was no lawful reason to access the personal information of these individuals then that officer did not have authority to access that information. The Department’s failure is in not having systems to detect such breaches of the Privacy Act. Software to detect unusual or unauthorised access exist. Banks have systems monitored by IT departments which raise flags when an employee seeks to or does access an account which has nothing to do with his or her role. In the bank setting that results in instant dismissal. Why there was no such system in the Department is a major failing in the data protection architecture.
The article provides:
A former immigration officer at Home Affairs accessed restricted data on 17 “friends and associates” over 1000 times over a six-year period.
The woman also approved a visitor visa for her brother-in-law after an earlier application was refused.
The National Anti-Corruption Commission (NACC) said in a statement that the woman was sentenced to eight months’ imprisonment for abuse of public office but released on a recognisance order.
The visitor visa approval triggered the initial investigation, with the NACC saying the woman “self-allocated the application” re-submitted by her brother-in-law “to herself as the visa decision-maker” and approved it after three days, after an earlier application was refused.
The investigation went by the name Operation Carbunup, described at the time as a matter where an officer allegedly “facilitated the unlawful entry of a foreign national into Australia”.
The NACC, however, also noted that the case had another side to it with the “unauthorised access to restricted data”, for which the woman was also convicted following a guilty plea.
“Between 2016 and 2021, [the woman] accessed the records of 17 individuals, including friends and associates, on 1164 occasions,” the NACC said.