D'Ascenzo: Read p23 of security review
I could see tax commissioner Michael D'Ascenzo wipe a bead of sweat from his brow and sigh with relief when he was told the CD only affected 3,000 people and not 25 million like in the case of its UK counterpart Her Majesty's Revenue & Customs's (HMRC) missing CDs.
As security consultant, Chris Gatford, from penetration testing firm Pure Hacking told me, placing files in an encrypted Zip folder ain't "rocket science"; you just need good key management practices.
The ATO reckons the lost CD is a "low risk", because for theft (ID or financial) to occur, a person would need access not just to the individual's name, address, and tax file number — the details contained on the CD — but all their account information too.
Still, the last time I spoke to the ATO's CIO Bill Gibson, he was spooked by the HMRC data breach. That incident and another CD lost by the ATO had prompted it to conduct a 72-page review of its handling of information, which was done by PriceWaterhouseCoopers (PWC).
The ATO paid a wad of taxpayer's money for PWC to conduct that review, called "Australian Taxation Office: Information Security Practices Review" (PDF), but following this incident it wants to conduct another review of its handling of information.
My message to Michael D'Ascenzo: scroll down to page 23 under the heading "Information leakage — Potential hot spots". You don't need to conduct another review. Here's what it said back in April:
"Information [at the ATO] exchanged without a consistently applied security mechanism to guard against unauthorised disclosure or loss, including: international transfer of classified information using relatively low grade encryption; unencrypted files, or non password-protected files, transferred on physical media such as CD-ROM or electronically via email."