Feeds

Oz refugee data leak a SNAFU, says KPMG report

Politically-explosive data accessed 123 times after gov worker ignores intranet rules

Remote control for virtualized desktops

Australia's Department of Immigration and Border Protection needs to tighten up its publishing processes to prevent repeats of a January incident that saw personal details of 10,000 asylum seekers placed on the Web for all to see.

Asylum seekers are a very controversial issue in Australia, especially those that arrive by boat. The nation's recently-elected government has decided they must be repelled using secret naval operations and that nobody who arrives by boat will ever be settled in Australia. While popular among the electorate, the policies continue to attract much criticism as inhumane in their execution and inappropriate in their lack of generosity.

Such criticisms were fuelled anew by the January leak.

The Department commissioned a review and then a version of that document suitable for public consumption. Released yesterday, the public review (PDF) says the data became available because “... a Microsoft Word document … allowed access to source data”.

The Word document likely made it onto the web because “The processes adopted in producing and publishing the Document appears to have not conformed with the roles and responsibilities set out in either the web publishing and governance intranet guidance or the online style guide.”

The review says the style guide is “potentially ambiguous in some areas” but sets out requirements for publication that “appear not to have been followed.”

The report says it cannot find “any indications that the disclosure of the underlying data was intentional or malicious.”

In other words, someone in the Department didn't follow the rules and data ended up online.

104 unique IP addresses accessed the file 123 times.

The review goes on to suggest that processes be put in place to ensure that when Departmental staff access data it be “normalised and cleansed in a secure environment” to ensure it cannot reach the public. There are also calls for processes and checks to ensure that documents placed on the web don't link to data or other information intended only for staffers' eyes.

That the department needs such programs is not good news: it has been troubled for a decade or more and recently underwent a major IT overhaul. Questions-a-plenty about the efficacy of that program, and whether the department can effectively carry out its role, are probably being drafted as you read this story. ®

Choosing a cloud hosting partner with confidence

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.