An ex-contractor was able to access a key Victorian government IT system 260 times in the year after leaving the service provider for which they worked, exposing failings in employee off-boarding and access management, the state's information commissioner has found.
The Office of the Victorian Information Commissioner's (OVIC) made the revelation in its investigation [pdf] into a data breach at the former Department of Health and Human Services (DHHS), which took place between September 2017 and October 2018.
OVIC was notified of the breach in December 2018 after the former employee of an unnamed contracted service provider (CSP) was identified as having accessed personal information on the client relationship information system for service providers (CRISSP).
The individual had worked for the CSP as a case worker between April 2016 and September 2017, but after ceasing employment had “continued to access CRISSP without authorisation to find information about individuals recorded in CRISSP”.
A log check by DHHS (now the Department of Fairness, Families and Housing [DFFH]) revealed that the former CSP employee had “accessed CRISSP without authorisation 260 times between 13 September 2017 and 6 October 2018 involving 27 clients of the CSP”.
During this time, the individual was briefly employed at another "youth-focused service provider", but was stood down in or around February 2018 over allegations that he may have accessed child pornography.
However, it was not until October 2018, when a Department of Justice and Regulation employee noticed that the man had continued accessing CRISSP, that his access was revoked.
OVIC’s investigation – which was completed in May 2020, but was not immediately published due to a separate criminal investigation into the former employee – found that both DHHS and the CSP contravened the state's information privacy principles (IPPs).
The watchdog said the breach was caused by “a failure by [the former employee’s] supervisor to initiate the process to terminate… access to the CRISSP when he no longer needed access to the system”.
“This failure could be described as human error because it was contrary to the CSP’s processes for deprovisioning access to CRISSP," the report said.
"This failure was due to an inadequate handover when one manager departed the role and another took over."
The breach was also caused by “the absence of any effective secondary procedure or system for when the primary mechanism for terminating a user’s access to CRISSP failed."
"Neither DHHS nor the CSP had an effective secondary procedure or system in place," OVIC found.
OVIC said the CSP contravened IPP 4.1 by “not having any mechanisms in place to account for the risk of human error in the deprovisioning process for CRISSP”, noting that it had “made significant improvements to its off boarding processes since”.
Under IPP 4.1, organisations, including contractors, are required to “take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure”.
DHHS also contravened IPP 4.1 for “failing to conduct any privacy or security checks on the CSP between 2008 and 2018” and “failing to take steps to confirm the currency of the CRISSP user list between 2008 and 2018”.
“The deputy commissioner found that DHHS did not do enough to both support the CSP and to seek assurance that the CSP kept user access lists for CRISSP up to date,” the report said.
“... Regular monitoring of the ways in which the CSP was meeting its privacy and security obligations was a reasonable step expected to be taken by DHHS to protect the information in CRISSP."
OVIC recommended the CSP conduct checks of CRISSP user access against payroll and other staffing records every three months and train its staff about privacy and security policies, which the organisation has now done.
DHHS has also been told to implement a procedure to periodically check the currency of users lists for CRISSP, as well as implement a “risk-tiering framework “for managing contracted service providers.
Despite showing “insight and a willingness to admit and address the issues that contributed to the breach”, the department was also issued with a compliance notice after the deputy commissioner deciding to “exercise her discretion”.
“The CSP has implemented the recommendations made to it and DHHS (now the DFFH) is on schedule to complete all the specified actions required by the compliance notice,” Victorian information commissioner Sven Bluemmel said.
“Both organisations cooperated fully with the deputy commissioner’s investigation and demonstrated a willingness to improve their practices and learn from the incident. They recognised the incident’s gravity and responded appropriately.”
Bluemmel added that “outsourcing arrangements cannot be ‘set and forget’”, and that a government agency “retains both a legal and a moral duty to protect the personal information it collects, uses, holds, and discloses” when it shares access to its systems”.
“Government organisations can outsource the management of a program, but they cannot outsource this responsibility,” he said.