Acting Privacy Commissioner Timothy Pilgrim will formally investigate whether customer data is secure following a claimed cyber attack on the ABS Census website.
Less that 24 hours after insisting he was “generally satisfied” with the security provisions protecting Census data, Pilgrim emerged to confirm his office would immediately commence an investigation into the attacks.
“My first priority is to ensure that no personal information has been compromised as a result,” he said in a statement.
Pilgrim's intervention came after ABS chief statistician David Kalisch blamed the extensive outage on four separate denial-of-service attacks.
Kalisch told the ABC “there was one breach that did actually get through via a third party” but insisted “[we] believe that we've plugged that gap".
The agency has taken to Twitter in an attempt to reassure Australians who did successfully complete the Census their data remains safe.
Steps have been taken during the night to remedy these issues, and we can reassure Australians that their data are secure at the ABS.— Census Australia (@ABSCensus) August 9, 2016
Under the Australian Privacy Act, the Privacy Commissioner has discretion to judge whether or not an organisation’s security practices and investments are up to standard when determining whether a data intrusion amounts to a breach of the laws.
In the past it has advised an “APP entity is not taken to have disclosed personal information where a third party intentionally exploits the entity’s security measures and gains unauthorised access to the information” - as long as the organisation can demonstrate it has taken “reasonable steps” to protect the data in the first place.
However if the office decides an organisation was negligent in its cyber security it can issue fines of up to $1.7 million.
Macquarie Telecom - which provides secure internet gateway services to several Australian agencies - said that government sites generally are targeted by at least one DDoS attack every day.