A damaging 2014 data breach at the Department of Immigration that saw the personal details of 9250 asylum seekers exposed online has cost the agency almost $1 million in legal fees so far, but those costs are expected to rise.
In its reponse to questions on notice from the May budget estimates hearings, the department revealed $955,330 had been spent on external legal services to manage matters resulting from its 2014 breach.
In February of that year the department accidentally published a database of sensitive information including full names, nationalities, dates of birth, gender, and boat arrival dates of all individuals held on Christmas Island and in a mainland detention facility.
The data was accessible on the Immigration website for nine days, and cached on an archived search engine for around two weeks.
The bungle occurred because Immigration staff copied charts and tables directly from a Microsoft Excel spreadsheet used to generate statistics for the report, resulting in the underlying data being embedded in the final Word version.
Privacy commissioner Timothy Pilgrim subsequently found Immigration had breached its obligations under the nation's Privacy Act.
The breach contributed to a significant rise in the number of individual privacy complaints received by the OAIC in that year, as well as a slew of lawsuits from asylum seekers who claimed to be more vulnerable to persecution in their home countries because of the breach.
Immigration told the budget estimates committee current and potential future legal action from these individuals could push its costs from the breach higher.
"Given the varying scope and nature of the legal matters that remain on foot, including any appeal right the parties involved will have available to them at the conclusion of those matters, the department is unable to provide an estimate of the costs that may be incurred in finalising all matters related to the 2014 data breach," it said.
The agency reported seven data breaches to the Privacy Commissioner in 2015-16 - its highest number in the last five years - and has reported three breaches so far in 2017.