X
Business

ATO admits staff have lost data, sent porn e-mails

The Australian Tax Office CIO Bill Gibson admits that staff have leaked information, lost CDs and been fired for sending porn by e-mail.
Written by Liam Tung, Contributing Writer

The Australian Tax Office CIO Bill Gibson admits that staff have leaked information, lost CDs and been fired for sending porn by e-mail.

The security culture at the Australian Tax Office has generally been given the thumbs up in a review by PriceWaterhouseCoopers, released today (pdf) — but the organisation discovered serious holes in the ATO's security practices.

Roughly 60 percent of the ATO's 22,000 staff took part in a survey, which reviewed the ATO's security practices, technologies and policies, which CIO Bill Gibson said was inspired by fears that it could face a breach similar to the UK's HMRC, which affected 25 million citizens.

"In October 2007, in the UK, there was the loss of password protected CDs by the HMRC that contained a lot of sensitive information about citizens in the UK. There were a number of other incidents which heightened our sensitivity to ensuring that we are appropriately safeguarding the information we hold," Gibson told ZDNet.com.au in a telephone interview today.

Read This:

vision-series.jpg

Video interview

Bill Gibson, CIO of the Australian Tax office, spoke to ZDNet.com.au about why he doesn't completely trust open source software; how the ATO handles security and why competing vendors will have to learn to work together.
Read More »

Those other incidents included one staff member losing a briefcase containing "some taxpayer information on two individuals" as well as a lost disc, said Gibson.

"[The briefcase] had been stolen from within a hotel. We have procedures that we activate if any information is compromised ... It's unfortunate that these things happen.

"The other event, which drove home to us the need to be comfortable in how we're dealing with these things was a disc misplaced in one of our offices," said Gibson.

The disc, which Gibson said was subsequently "found and handed back in", contained "some information about taxpayers".

The review found potentially serious holes in the way information is handled when shared between contractors and other government departments, which included "classified information" being transferred using "low grade encryption".

Some ATO staff also lacked knowledge of approved secure transfer channels, the study revealed.

"The area that we have more of a concern about are those things that are associated with ad hoc data transfers. For example, a request from an agency to access information," he said.

These transfers are usually governed by an official agreement between the agencies, which stipulates how each party should handle sensitive information.

The review found that information was handed to outsiders without any assurance it would be adequately protected.

"We're looking closely at the agreements we have with those agencies," Gibson said. "We clearly need to enhance our education and awareness program".

To better deal with data transfers between agencies, the ATO has introduced fingerprint reading USB drives, which keep the information encrypted until properly authenticated.

"If there is a need for us to physically take information to another entity, we will only do so on one of these USB keys. The key can be unlocked through the use of finger or thumbprint — otherwise it's rendered unusable," he said.

The review also highlighted problems with staff circumventing the e-mail marking classifications being sent from government organisations, which were designed to prevent data leakage.

The review found staff would choose to tag classification levels based on convenience rather than policy — with over-classification of hard copy information to restrict access, and in other cases, under-classification to simplify transfers to other locations.

"We're now doing 100 percent scans that involve all outbound e-mail traffic from the ATO and we have some sophisticated automation that detects what is information that is inappropriately classified.

"That might be pornographic or other materials. We have strong policies that do not condone this in any way. We have in the past had examples where staff have breached these guidelines — more around social acceptability — that we will class as a code of conduct issue, which can result in a range of sanctions and we have dismissed staff on that basis," added Gibson.

Editorial standards