Maintaining her role as Australia's outsourcing watchdog since 1997, Opposition IT spokeswoman Senator Kate Lundy used this month's Public Accounts committee hearing to expose serious flaws under current service provider arrangements between EDS and Customs.
Despite a number of wide-ranging reviews instigated since the recent theft of the two computer servers from Customs, there are very few sanctions that can be imposed on EDS for failing to protect a facility listed by the federal government as critical infrastructure.
Incredibly, the brazen thieves gained access to a secure computer room at Customs by requesting and signing for a swipecard, the joint Public Accounts and Audit Committee heard.
They simply unplugged the booty, loaded them onto a trolley and wheeled them out of the building.
When asked what action could be taken in such circumstances when EDS fails to meet security obligations, the vendor's executive director of the Australian federal government group Michael Smith said one option is termination of the contract.
But Lundy pointed out that, as EDS has full ownership of Customs' IT assets, such a drastic scenario is pretty unlikely.
"So if Customs took action they would have no assets; they would have to buy back all their hardware and software which is an impossible situation," she said.
"It effectively paints a picture of no credible sanction being available to the Commonwealth if security is breached."
Smith denied EDS had done anything wrong because it was a "breach of physical security" and EDS is responsible for IT security.
Choosing to sidestep even a hint of blame for the security breach, Smith boldly stated EDS had done nothing wrong and could not be held accountable although one of the thieves was a former EDS employee.
"There is no suggestion that EDS has done anything wrong or contributed to anything that has led to the theft of these devices," he said.
But Customs CEO Lionel Woodward held a different view, admitting the incident exposed a breakdown in security procedures.
"We are not attempting to say that this is not serious. It is and it is extremely embarrassing," he said.
There has been 'massive changes' to security procedures since the theft, Woodward said admitting additional equipment was stolen along with the servers including two desktop computers and a battery charger.
This only came to light weeks after the event, with Woodward blaming a poor asset register process maintained by EDS.
However, ACS CIO Murray Harrison said an apology had been received from EDS and in the wake of the theft there has been an extensive audit of all equipment across the Customs network.
Australian Identity Security Alliance convenor Dr Edward Lewis, who was on the evaluation team that selected EDS as the outsourcing provider for Customs, agreed there were insufficient penalties for serious security breaches under existing outsourcing contracts.
"There are the normal commercial legal responsibilities of suing for a breach of contract rather than terminating the contract, so perhaps there are other ways of taking action. This particular contract does not have sufficient service credits or more interim penalties that allow for these sorts of breaches," he said.
He also pointed out that the responsibility for such breaches begins with the CEO and management, and shouldn't be directed at the security guard or Customs worker because they probably haven't received the appropriate level of training required to secure this type of facility.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.