Oz refugee data leak a SNAFU, says KPMG report
Politically-explosive data accessed 123 times after gov worker ignores intranet rules
Australia's Department of Immigration and Border Protection needs to tighten up its publishing processes to prevent repeats of a January incident that saw personal details of 10,000 asylum seekers placed on the Web for all to see.
Asylum seekers are a very controversial issue in Australia, especially those that arrive by boat. The nation's recently-elected government has decided they must be repelled using secret naval operations and that nobody who arrives by boat will ever be settled in Australia. While popular among the electorate, the policies continue to attract much criticism as inhumane in their execution and inappropriate in their lack of generosity.
Such criticisms were fuelled anew by the January leak.
The Department commissioned a review and then a version of that document suitable for public consumption. Released yesterday, the public review (PDF) says the data became available because “... a Microsoft Word document … allowed access to source data”.
The Word document likely made it onto the web because “The processes adopted in producing and publishing the Document appears to have not conformed with the roles and responsibilities set out in either the web publishing and governance intranet guidance or the online style guide.”
The review says the style guide is “potentially ambiguous in some areas” but sets out requirements for publication that “appear not to have been followed.”
The report says it cannot find “any indications that the disclosure of the underlying data was intentional or malicious.”
In other words, someone in the Department didn't follow the rules and data ended up online.
104 unique IP addresses accessed the file 123 times.
The review goes on to suggest that processes be put in place to ensure that when Departmental staff access data it be “normalised and cleansed in a secure environment” to ensure it cannot reach the public. There are also calls for processes and checks to ensure that documents placed on the web don't link to data or other information intended only for staffers' eyes.
That the department needs such programs is not good news: it has been troubled for a decade or more and recently underwent a major IT overhaul. Questions-a-plenty about the efficacy of that program, and whether the department can effectively carry out its role, are probably being drafted as you read this story. ®
Sponsored: Becoming a Pragmatic Security Leader