Australian Immigration Email Exposes G20 Leaders’ Personal Information

Australia’s immigration department accidentally exposed the personal details of several world leaders, including Prime Minster David Cameron, attending the G20 summit in Brisbane last November, it has been revealed.

The department decided not to inform their respective governments, though, reports The Guardian.

According to documents obtained by the newspaper through Australia’s freedom of information laws, an employee of the Department of Immigration and Border Protection accidentally sent passport details, visa information and other details to a member of the organising committee of the Asian Cup football tournament, held in January.

The recipient deleted the email in question and notified immigration authorities, who then reported the incident to Australia’s privacy commissioner on November 7.

Disclosure

It was decided that because the disclosure was caused by human error and that because the Asian Cup organising committee had given assurances that the email was not accessible or recoverable, there was no need to tell the leaders in question about the breach.

The document says the department was informed within ten minutes of the breach occurring and there is no record of the email being forwarded, nor was a copy created as the Asian Cup committee’s backup systems only run overnight.

“The personal information which has been breached is the name, date of birth, title, position nationality, passport number, visa grant number and visa subclass held relating to 31 international leaders (ie prime ministers, presidents and their equivalents) attending the G20 leaders summit,” wrote the director of the visa services division of the immigration department.

Human error

“The cause of the breach was human error. [The staff member in question] failed to check that the autofill function in Microsoft Outlook had entered the correct person’s details into the email ‘To’ field. This led to the email being sent to the wrong person.

“The risk remains only to the extent of human error, but there was nothing systemic or institutional about the breach.”

The department says it plans to reiterate to its staff the need to protect personal data at work but it is unclear whether it has made the leaders aware of the incident. It has been suggested that a failure to disclose the breach could break a number of privacy laws in other countries.

‘Shocking breach’

“This is a shocking breach in security that should have been disclosed immediately – however it’s actually a very common mistake,” said Tony Pepper, CEO of Egress Software Technologies.“‘Autofill’ options when entering a recipient’s details create a wide margin for human error when sharing confidential information by email. However, this is no longer an acceptable excuse, particularly when sharing such highly sensitive information.

“Mistakes happen, it’s a fact of life. Yet organisations need to ensure they give employees the right tools to work securely, while also providing a safety net should mistakes happen. Otherwise we will continue to see breaches of this kind.”

Earlier this year, several Australian government organisations were hacked by an attacker claiming to be a former LizardSquad member. Australian Communications and Media Authority (ACMA) and the Australian Nuclear Science and Technology Organisation (ANSTO) were among those affected, although only non-sensitive data was contained on their websites.

Last week, the country passed data retention laws that will allow the government to access communications metadata without the need for a search warrant. Communication service providers will be forced to store this information for two years after both major political parties backed the bill.

Are you a pedant on privacy? Try our quiz!