Reports containing the phone numbers of hundreds of federal politicians were downloaded almost 1000 times while they sat on the Parliament House website for more than three months.
The privacy breach was detailed by the SMH in March. The Department of Parliamentary Services blamed contractor Telco Management, which was hired to report on telco usage and costs for parliamentarians and their staff.
Traditionally the firm stripped individual numbers from each politician's phone bill to maintain privacy. This year, however, it simply changed the colour of the text to white, meaning the numbers could still be copied and pasted.
In the aftermath DPS said it was reviewing the terms of its contract with Telco Management to determine "future courses of action".
The department removed the files from its website once it become aware of the issue, but not before they were downloaded 980 times, DPS revealed today. Each of the 236 parliamentarians have an individual file.
It told a budget estimates committee hearing that the downloads came from 88 unique IP addresses, but claimed only three people had the entire set of numbers.
It also revealed the mistake slipped through the gaps because DPS only scanned documents for "visible" data that needed to be redacted before publication.
Acting CIO Ian McKenzie said additional controls had since been put in place to check for white text on a white background, as well as the metadata associated with a file, before it is published.
"Our checks did not extend at the time in the way that they do now to look for information that's not visually available,' he said.
He said Telco Management now requires one of its managers to sign off on reports to make sure all sensitive data has been removed before the files are made public.
DPS was not likely to terminate the contract given Telco Management had provided good service since 2014, was used successfully by other agencies, and provided good value for money, MacKenzie said.
Phone numbers of senior government ministers including Barnaby Joyce and Christopher Pyne, among others, were accessible, but those belonging to top ministers including the Prime Minister and Treasurer were not.
MacKenzie declined to provide the total amount of numbers exposed for fear of making the dataset attractive to malicious actors, despite having removed the files from the website and Google cache.