A review into Victorian Police information security following a 2008 breach found that it was predominantly due to "good luck" that more serious breaches hadn't occurred.
The fact that other sensitive law enforcement data was not accidentally or deliberately released appears to have been a matter of good luck rather than good management.
Office of Police Integrity
The review, by the Office of Police Integrity, was instigated after information on a surveillance target had gotten into the hands of suspects under investigation by Victorian Police and police from other states. Prior to the review, a joint investigation between Victoria Police and the office had found the most likely source of the security breach to be the Victoria Police State Surveillance Unit.
"In some respects the discovery of the unauthorised release of the surveillance target profile was fortuitous. The fact that other sensitive law enforcement data was not accidentally or deliberately released appears to have been a matter of good luck rather than good management," the report said.
The review found that the practices of the unit showed a "lackadaisical attitude to information security among staff".
"Crime department and regional investigators failed to adhere to protocols for access to and release of information based on the 'need to know' principle and regularly released large amounts of inappropriate law enforcement data by email to the Surveillance Unit," it said. "Most of the information was released without being properly classified, sanitised or subjected to proper authorisation processes."
Many reports also contained more information than necessary due to untrained or minimally trained employees often being put in charge of compiling target profiles.
"Once data was received at the unit, it was processed by untrained, inexperienced and often unmotivated administrative staff. These staff and, subsequently, Intelligence Cell members did not know what to exclude from a surveillance request, so they included everything. This meant that profiles disseminated to field operatives included large quantities of irrelevant information," the report said.
Systems and processes for the storage, transfer, destruction and further dissemination of law enforcement data were all inadequate, according to the report.
For example, following the partial decommissioning of a database the police set up a shared server to store secure information. However, there were over 100 individuals including contractors, IBM help desk staff, police officers and generic administration who had access to the drive — with much of that access not being justified.
It suggested that insufficient support and technology from Victoria Police had also contributed to mismanagement of highly sensitive information within the unit.
The office found that while the unit had taken steps to increase security since the first Surveillance Target Profile breach in mid-2008, these improvements still didn't meet those outlined in the Standards for Victoria Police law enforcement data security established in July 2007.
In a press conference following the tabling of the report in parliament yesterday, deputy commissioner, Sir Ken Jones addressed the report and discussed the changes Victoria Police is making to improve information security.
"We support unequivocally all recommendations, we're very focused on managing our information in a safe, ethical and lawful manner, information security is an organisational priority and we've put in an awful lot of time, money, effort and leadership into it," Jones said.
"The report identifies some real challenges for us, in the need to balance information security with making sure our surveillance people have the right tools and equipment to do their job. After all, they've taken on some of the worst criminals, and sometimes terrorists, in the state, so we need to bear that in mind, it's a very difficult challenge and we're grateful to the [office] for indicating how difficult that is for us."
The report concluded that Victoria Police should review all surveillance units, upgrade processes to comply with standards, and consider consolidating all surveillance resources under one management system.
Jones acknowledged the report's recommendations and said Victoria Police would work towards achieving these standards.
"We are conducting audits and reviews of all our surveillance units across the state, beyond the one that's been mentioned in the report, to make sure we bring them up to best practice as well," he said. "We're working to refine and develop clear processes and instructions that comply with the Commission for Law Enforcement and Data Security Standards, that's a critical issue for us as well and that's something I've been given the responsibility to lead on."
"I'm really confident we're heading in the right direction, this is a disappointing report in many respects, but nevertheless we welcome the recommendations because we are determined to lift our capability and our practice."
This hasn't been the first negative report on the processes of the Victorian Police. Recently, the organisation came under scrutiny for procurement practices amongst other concerns. The CIO had been replaced by a board of management while the Police Information Technology Unit sorted itself out. Now Michael Vanderheide who had worked as the CIO of the Australian Capital Territory Shared Services Unit has taken up the role.