G20 data email leak: ombudsman asked to investigate 'systemic problem'

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.theguardian.com/australia-news/2015/apr/01/g20-data-email-leak-ombudsman-asked-to-investigate-systemic-problem

The commonwealth ombudsman has been asked to investigate the immigration
department after the personal details of G20 world leaders were
accidentally disclosed in an embarrassing data breach.

The shadow attorney general, Mark Dreyfus, wrote to the commonwealth
ombudsman, Colin Neave, on Wednesday, asking him to examine whether the
immigration department was complying with its obligations under the Privacy
Act.

On Monday Guardian Australia reported that the world leaders attending the
G20 summit had their personal details – including passport and visa
information – exposed after an employee accidentally sent an email with the
data to a member of the Asian Cup local organising committee.

Although the privacy commissioner’s office said it had concluded inquiries
into the breach after it was notified by the department, Dreyfus said a
larger inquiry was needed.

Immigration Department data lapse reveals asylum seekers' personal details


Read more

In a letter to the ombudsman, Dreyfus said: “It is clear that the
department has an ongoing, systemic problem in meeting its privacy and data
security obligations. An investigation by the ombudsman into the
department’s broader conduct is warranted.

“This is the second significant data breach within the department under the
current government. In February of last year the department inadvertently
published online the personal information of nearly 10,000 asylum seekers.”

“It is deeply concerning that the department has evidently not improved its
practices since that incident.”

The department had also recommended the G20 leaders not be notified of the
breach, and wrote in a letter to the information commissioner that they
considered the breach to be a low risk.

Dreyfus said: “It is also deeply worrying that after becoming aware of the
G20 data breach, the department chose not to notify the relevant leaders or
their governments that their privacy and security had been compromised.”

“Clearly, this data breach is a matter of concern to our international
counterparts.The White House has now said that it is investigating the
issue.”

“In light of this incident, I have grave concerns about the ability of the
department to competently handle the private information it is entrusted
with. The minister has been completely unable to give any satisfactory
reassurance.”

The department has since banned an email autocomplete function that was
blamed for the breach. But the change was made weeks after the November
breach occurred.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!