D'Ascenzo: Read p23 of security review

D'Ascenzo: Read p23 of security review

Summary: Following yesterday's admission by the Australian Taxation Office that its courier had lost a CD containing the details of 3,000 self-managed super funds, it wants to review how it handles information. My suggestion: go back to the review completed in April.

SHARE:

Following yesterday's admission by the Australian Taxation Office that its courier had lost a CD containing the details of 3,000 self-managed super funds, it wants to review how it handles information. My suggestion: go back to the review completed in April.

I could see tax commissioner Michael D'Ascenzo wipe a bead of sweat from his brow and sigh with relief when he was told the CD only affected 3,000 people and not 25 million like in the case of its UK counterpart Her Majesty's Revenue & Customs's (HMRC) missing CDs.

In the absence of data breach disclosure laws, it was commendable of D'Ascenzo to disclose the loss, but I find it surprising the ATO isn't already encrypting files on CDs it sends out into the wild.

As security consultant, Chris Gatford, from penetration testing firm Pure Hacking told me, placing files in an encrypted Zip folder ain't "rocket science"; you just need good key management practices.

The ATO reckons the lost CD is a "low risk", because for theft (ID or financial) to occur, a person would need access not just to the individual's name, address, and tax file number — the details contained on the CD — but all their account information too.

Still, the last time I spoke to the ATO's CIO Bill Gibson, he was spooked by the HMRC data breach. That incident and another CD lost by the ATO had prompted it to conduct a 72-page review of its handling of information, which was done by PriceWaterhouseCoopers (PWC).

The ATO paid a wad of taxpayer's money for PWC to conduct that review, called "Australian Taxation Office: Information Security Practices Review" (PDF), but following this incident it wants to conduct another review of its handling of information.

My message to Michael D'Ascenzo: scroll down to page 23 under the heading "Information leakage — Potential hot spots". You don't need to conduct another review. Here's what it said back in April:

"Information [at the ATO] exchanged without a consistently applied security mechanism to guard against unauthorised disclosure or loss, including: international transfer of classified information using relatively low grade encryption; unencrypted files, or non password-protected files, transferred on physical media such as CD-ROM or electronically via email."

Topics: Government AU, Government, Hardware

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Horse to water problem

    Anything done in April is very unlikely to have trickled down into policy, procedures and training materials by now, let alone actually being implemented.

    And then there's corporate culture to deal with, and if it's anything like that in any large enterprise (commercial or government), will thoroughtly resist the security discipline required.
    anonymous
  • Re-raise recommendation 13?

    The PwC report includes a recommendation to provide solutions for the secure transportation of all types of information....wouldn't that include encryption mechanisms for files burnt to CD or copied to USB devices?
    anonymous