Privacy commissioner to investigate Immigration data breach

Australian privacy commissioner Timothy Pilgrim will investigate the accidental exposure of personal details relating to thousands of Australian-based asylum seekers via the immigration department's website.

Pilgrim described the breach as “a serious incident” and said he would investigate how it was allowed to happen.

He said the immigration department had promised to provide him with a detailed report into the incident.

"Further, the OAIC will be working with the department to make sure they are fully aware of their privacy obligations and to ensure that incidents of this nature will not be repeated,” he said.

Pilgrim said the department had assured him the information was no longer available online.

New laws concerning the privacy obligations of government agencies and businesses with a turnover exceeding $3 million come into effect next month.

The immigration department also today confirmed it had engaged KPMG to review and report on how the incident was able to occur, and ensure it doesn't happen again. The firm is expected to hand its report to the agency next week.

Immigration minister Scott Morrison said the incident was "unacceptable".

"This is a serious breach of privacy by the Department of Immigration and Border Protection," he said.

"The information was never intended to be in the public domain, nor was it in an easily accessible format within the public domain. 

"I have received a brief on this matter and have sought assurances that this will not occur again."

How did it happen?

Director of security firm Threat Intelligence Ty Miller said the breach may have occurred as a result of a failure in access controls, but said the data should “absolutely not” have been on the department’s web servers in the first place.

“It’s actually more common than you would think. Access controls are one of the most common and significant flaws within web applications and during penetration testing we find these things all the time,” he told iTnews.

“A lot of organisations rely on you not knowing that these files are sitting there, there are a lot of sites that have backup of their databases or source code, and are named things that you may not necessarily guess, but they are accessible."

The department has not yet responded to request for comment on whether the files in question had been cached - a situation Miller described as the “worst case scenario”.

He said such data should typically not be connected to public systems and should be stored in a database with restricted access, with sensitive data also encrypted.

Director of penetration testing firm HackLabs Chris Gatford said his firm also came across similar cases of lost information on a regular basis.

“This is very common. I imagine it was deliberately shared to facilitate sharing between whichever groups [immigration] is working with, and either the link was disclosed or the directory it resides in was easily viewable, allowing the file to be discovered,” he said.

“Unfortunately in this day and age it is amazing the type of information you can find when looking around a misconfigured site, or file store, or even cached in the most unusual places."

Update 4:44pm: The Immigration department said in a statement it understood the compromised information had not been cached by search engines.

It said the data, accessible on a 'immigration detention statistics report" had been available on the website for around a week from February 11.