Services Australia has reported five data breaches since July 2019

All of the five data breaches related to human error, the agency said, and combined they have affected 232 people.
Written by Asha Barbaschow, Contributor

Since the start of the 2019 financial year, Services Australia has reported a total of five eligible data breaches to the Office of the Australian Information Commissioner (OAIC).

According to the agency, the five breaches reported in the financial years 2019-2020 and 2020- 2021, up until 12 April 2021, all involved human error.

Revealed in response to questions taken on notice, Services Australia said 232 people have been affected by the breaches, as at 12 April.

"The [eligible data breaches] occurred in the context of the agency's many millions of customer interactions each year," it declared. "For example, the agency had approximately 395 million customer interactions in 2019-2020."

For each eligible data breach, Services Australia said it takes appropriate remediation steps, including taking steps to notify affected customers, providing further training and education for staff, and reviewing and improving agency processes and procedures.

Services Australia in March admitted it had reported a total of 20 cybersecurity incidents to the Australian Cyber Security Centre (ACSC) in 2019-20, covering its responsibility across the Department of Social Services, the National Disability Insurance Agency, and the Department of Veteran's Affairs, in addition to its own IT shop.

The ACSC reported receiving a total of 436 notifications from government entities.

Of those 20 incidents, the agency has now added that none involved a breach of the Australian Privacy Principles or met the threshold of an eligible data breach for the purposes of the Notifiable Data Breaches (NDB) Scheme.

The NDB scheme came into effect in February 2018. It requires agencies and organisations in Australia that are covered by the Commonwealth Privacy Act 1988 to notify individuals, whose personal information is involved in a data breach that is likely to result in "serious harm", as soon as practicable after becoming aware of a breach.  

As detailed in the OAIC's latest report, Australian entities covered by the Privacy Act reported 519 instances of data breaches in the six months to December 2020, a 5% increase from the first half of the year. The Australian government accounted for 6% of the total, with 33 notifications.

Services Australia said internally it completed 125 investigations into unauthorised access of information by staff in the period spanning 1 July 2020 to 28 February 2021.

"Unauthorised access to information by staff is access to agency information, which could include personal information, that they have no legitimate business reason to access, including individuals accessing their own data," Services Australia clarified.

It said none of those investigations led to a referral to Commonwealth Director of Public Prosecutions.

However, Services Australia said it took administrative disciplinary action in response to a number of those investigations, ranging from formal warning letters to termination of employment.

"None of the investigations involved a breach of the Australian Privacy Principles or met the threshold of an eligible data breach for the purposes of the Notifiable Data Breach Scheme," it added.

Elsewhere during Senate Estimates in March, the Department of Home Affairs took on notice a handful of questions related to ransomware, such as the number of criminal investigations of ransomware attacks against Australian organisations opened by the Australian Federal Police (AFP), the number of ransomware-related investigations underway, and the number of law enforcement operations against ransomware groups initiated in foreign jurisdictions that the AFP participated in.

In response, Home Affairs listed the five potential offences that can be used to penalise ransomware-related activities.

It did, however, confirm at least one charge has been laid by the AFP.

"In the last 12 months, the AFP charged at least one individual in Australia with criminal offences related to ransomware," it wrote.

"The AFP is unable to include comprehensive statistics because of the lack of explicit provisions against ransomware offences as outlined."

The Department of Finance, meanwhile, responded to questions asked of it during March estimates, specifically related to the shared enterprise resource planning (ERP) technology platform, GovERP.

Initially unveiled as part of the 2017 Budget, AU$89.5 million across three years was allocated to consolidate and streamline back-office corporate functions in the Australian Public Service. Finance was asked how much of the funding had been spent on those external to the department.

GovERP has received funding of AU$67.1 million over the two years 2019-20 and 2020-21. Of this, Finance said AU$35.5 million has been spent to date on contractors and consultants.

"The program will implement a new technology in which the APS has not yet developed expertise," Finance said. 

"The majority of contractors and consultants are engaged to provide specialised skills and services to support the program, many of which are small to medium enterprises, particularly with respect to ICT labour."

GovERP has been funded for a further two years as part of the 2021-22 federal Budget, but the dollar amount has been listed in official documents as not for publication due to "commercial sensitivities".


Editorial standards