Immigration's G20 email bungle was only the first fail

The Department of Immigration and Border Protection's response to the G20 data breach was precisely wrong. Twice.
Written by Stilgherrian , Contributor

He that is without sin among you, let him first cast a stone, etc. Sure, it's easy to laugh at the unnamed Australian government staffer who emailed 31 world leaders' personal details to the wrong address. But we've all accidentally emailed the wrong person at some time, haven't we?

Mistakes happen. It's what comes next that matters. And this is where I think the Australian Department of Immigration and Border Protection (DIBP) has failed. Twice.

According to documents obtained by The Guardian, the personal information breached was the "name, date of birth, title, position nationality [sic], passport number, visa grant number, and visa subclass" of the leaders attending the G20 leaders summit. Combined with information easily found online, such as place of birth and residential address, that's enough to open a bank account online -- and from there, the rest of an identity fraud can be constructed.

Yet a DIBP officer downplayed the risk.

"Given that the risks of the breach are considered very low and the actions that have been taken to limit the further distribution of the email, I do not consider it necessary to notify the clients of the breach," she is reported to have written.

I don't disagree with her overall risk assessment -- at least, based on the facts as reported -- but I don't think it's up to an Australian DIBP staffer to decide what is and isn't a risk to the president of the United States. That's the job of the US Secret Service, and they won't even let POTUS eat a meal without their officers having watched it being prepared. Other national leaders have their own security protocols. And some of those nations, including the US, have mandatory data breach notification laws. They expect to be told.

That's the first fail.

Privacy consultant Steve Wilson, vice-president and principal analyst with Constellation Research, raised another issue. "WTF are we doing letting humans handle this kind of sensitive data without some sort of content filter that would alert them before allowing them to press send?" he told ZDNet by email.

There's all manner of data loss prevention systems that can spot when an email contains sensitive data, and at the very least pop up an "Are you sure?" query before you send it out the building. You'd think that after DIBP published the details of approximately 9,250 asylum seekers last year, they'd be all over this stuff.

And why was such sensitive information being emailed around in the one document anyway?

"We have to ask how these sorts of processes and systems are allowed to be established. Were Threat & Risk Assessments and Privacy Impact Assessments done? And if they were, why did they manifestly fail?" Wilson asked.

"I trust nobody has played this down as 'a human error'. We know that humans are the weakest link in the security chain. So when anyone says of a breach 'it was human error', they're admitting management culpability."

Ah, yeah, about that...

According to the DIBP staffer, "The cause of the breach was human error. [Redacted] failed to check that the autofill function in Microsoft Outlook had entered the correct person's details into the email 'To' field. This led to the email being sent to the wrong person."

But DIBP's reaction hasn't just been to blame the human. It's taken technical measures.

It has disabled Outlook's address auto-completion for everybody.

"If you have emailed a person before, you have to retype in their address completely," the department's chief information officer, Matthew Yannopoulos, told The Australian. "I have made the addressing torturous, so that you actually -- really need to think about it. They are pretty unhappy about it."

I bet they are.

It's a good thing that disgruntled workers don't make mistakes, either accidentally or "accidentally", right?

Oh, wait.

That's the second fail.

Punishing the staff by taking away a productive tool that they can't be trusted to use? Referring to the CIO as the C-I-No is such an overworked cliché, but it appears to be alive and well at DIBP.

I'll let Steve Wilson have the last word.

"As if we needed more proof that information systems are too fragile to handle, here's another breach. Personal Information is like nitroglycerin -- it has this tendency to blow up in your face. When will we stop throwing it around with such abandon, and take grown-up steps to defuse the stuff?"

Editorial standards