Unfamiliarity with some Microsoft Word functions and limited awareness of IT security risks may have led to the accidental publishing of almost 10,000 asylum seekers details on the Department of Immigration and Border Protection (DIBP) website in February 2014, says a new KPMG report.
The file contained information about every asylum seeker held in Australian detention centres and on Christmas Island, as well as those in community detention, <i>The Guardian</i> reported at the time.
DIBP commissioned KPMG to conduct an investigation into the data breach.
In its findings (PDF), the firm found a number of factors that may have led to the incident including “time pressures, unfamiliarity with certain functions of Microsoft Word and limited awareness of IT security risks associated with online publishing".
- Immigration and Border Protection to invest $700 million in border security
- Multicard breached Privacy Act with Maritime ID card leak: Commissioner
- Telstra signs $32 million security contact with Australian Customs
In addition, KPMG’s report found that the process used in producing and publishing the asylum seekers document did not conform with the DIBP’s roles and responsibilities set out in its Web publishing and governance Intranet guidance or the DIBP online style guide.
“Although potentially ambiguous in some relevant areas, the online style guide sets out specific requirements for the publication of documents which appear not to have been followed,” read the report.
KPMG recommended that DIBP implement procedures so that when data is extracted for analysis, it is cleaned in a secure environment to ensure any personal information is removed.
The department should also hold “online publishing workshops involved IT security, Web operations and governance", recommended the report.
KPMG’s report also recommended that DIBP develop an IT security training program for all staff members and incorporate lessons from the KPMG review into future privacy training.
In response to the report, DIBP has issued a statement that says the asylum seekers information was never intended to be in the public domain and “was not easily accessible".
According to DIBP, it has written to every person affected by the incident with details of how the data breach occurred and the information that was accessible.
“If you have not received the letter, you should inform DIBP as soon as possible of your current address so that you do receive it,” said DIBP.
“The department has taken action to implement the recommendations in that report and ensure that this sort of incident does not happen again. The department deeply regrets inadvertently allowing unauthorised access to personal information.”
Follow Hamish Barwick on Twitter: @HamishBarwick
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.