BreachExchange mailing list archives
Confidential details of entire WA Police Force accessed in 'startling' audit breach, CCC finds
From: Destry Winant <destry () riskbasedsecurity com>
Date: Fri, 24 Apr 2020 09:07:20 -0500
https://www.msn.com/en-au/news/australia/confidential-details-of-entire-wa-police-force-accessed-in-startling-audit-breach-ccc-finds/ar-BB134cK4 A corruption investigation has revealed a staff member in the office that audits every WA government department accessed and downloaded highly confidential information about all of the state's 8,800 police officers. The information included the officers' names and addresses and was labelled a "startling" revelation by the state's corruption watchdog. The Corruption and Crime Commission (CCC) tabled a report in State Parliament today outlining how the staff member at the Office of the Auditor General (OAG) stored the information on a spreadsheet on a laptop computer for years after completing an audit of the WA Police Force. The report said there was no evidence the police data was shared, but that did not lesson the seriousness of the incident. "The misconduct risk is real and its value to organised crime could be immense," the report said. Payroll details of audit staff accessed The incident was not the only one uncovered by the CCC. The investigation also found two staff members who were both certified practising accountants were able to access confidential information, including the payroll details and bank accounts, of other OAG workers, including the auditor-general herself. The report said the information the man accessed included the auditor-general's credit card statement and records of her meeting notes with other government department heads. Some of the material was found collated in a document folder on his personal computer. "His consistent explanation was that the information was available to everyone to see and he did not think it was inappropriate at that point in time," the report found. "That explanation is difficult to accept." The CCC said it accepted the staff member was "under extreme stress due to issues of a personal nature" at the time, and that he had not acted with a corrupt intention. But it said his actions illustrated the serious misconduct risk that existed when confidential information was stored without proper controls and restrictions on access. Storage device deliberately destroyed: CCC A finding of serious misconduct was made against one auditor who the CCC found deliberately destroyed a portable storage device when he was asked to return it. He claimed he did what he did because he was angry at the time, but the watchdog said "there [was] another more sinister explanation possible". "[He] destroyed the IronKey because he did not want an examination of what had been stored on it, what had been done with the data from it," the report found. "The Commission is unable to determine whether the true purpose was: anger, concealment, or something else. "Regardless [he] acted to destroy the IronKey in order to cause a detriment to the OAG, both by loss of the device itself … and the data it held (which is unknown and therefore immeasurable)." The CCC described all the revelations as "startling". "OAG has independence of action and is responsible for auditing the finances and actions of all departments of government, state and local," the report said. "It should be trusted to keep information confidential." In its response to the CCC, the OAG said it took immediate remedial action after the incidents were uncovered. But the CCC recommended all public authorities consider reviewing their policies on how they secured confidential information and that they ensured regular internal checks were conducted to identify and deter unauthorised access and disclosures. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Confidential details of entire WA Police Force accessed in 'startling' audit breach, CCC finds Destry Winant (Apr 24)