Confidential personal information gathered by Victorian government agencies "can be, and has been, easily compromised", according to a report published today by the state's Auditor General.
In each department unauthorised people could access personal information quickly and easily
The audit report, Maintaining the Integrity and Confidentiality of Personal Information, found a plethora of security oversights, blunders and poor practices that left citizens' personal data highly vulnerable to exposure.
The audit examined security governance and risk management arrangements at three Victorian Government agencies, including the departments of Premier and Cabinet, and Treasury and Finance. It did not name the third department.
"While we examined only three departments, the ability to penetrate databases, the consistency of our findings and the lack of effective oversight and coordination of information security practices strongly indicate that this phenomenon is widespread," the report said.
The audit found that "in each department unauthorised people could access personal information quickly and easily" because "the information was not appropriately classified" and "the database controls were either missing or not operating".
Further, because the departments didn't maintain or regularly review system logs, they had no way of knowing if their systems had been breached and personal information in their care had been accessed without authorisation.
The Auditor General's office found that departments were storing and exchanging information in unsecured formats.
"Data was transmitted from the three departments by emails in formats that were easily read," the report said. "This means they could be accessed by someone other than the intended recipient.
"Personal information was stored on portable storage devices, CDs and DVDs that are vulnerable to loss, in easily-read formats. Personal information was exchanged via personal email accounts, some of which were particularly vulnerable to unauthorised access. Extracts or whole copies of personal information from the selected databases were stored in unsecured shared drives on departmental networks accessible by unauthorised staff."
These departments were providing information to third parties such as IT services providers and hosting companies which were "not required to certify that their security arrangements at least equal public sector requirements".
It also found that the Victorian Government has to date failed to implement "a comprehensive suite of standards to guide and support effective information management and security practice across the public sector".
"The Department of Treasury and Finance and the Department of Premier and Cabinet have not fulfilled their responsibilities to develop and maintain whole-of-government information security standards and guidance, to improve the coordination of identity and information management systems at state level, and to provide policy advice on emerging trends and issues in identity and information management," the report said.
The Auditor General's report recommended that the departments should:
- Clarify their roles, responsibilities, policies and standards regarding information security
- Assign responsibility for information security to senior management
- Develop more robust risk management practices
- Train staff in good security practices and the importance of information security
- Assess threats and vulnerabilities and take steps to address them.