Review reveals extent of access to leaked Immigration data

An independent review into the leak of 10,000 asylum seekers' personal details in February has found the information was accessed over 100 times, with auditor KPMG placing blame for the breach solely on the Department of Immigration and Border Protection.

Earlier this year the department admitted to inadvertently leaking the names, nationalities and boat arrival information of individuals held in a mainland detention facility and on Christmas Island via a document published on its website.

The immigration department immediately took the vulnerable ‘immigration detention and community statistics summary’ offline once alerted to the breach, but the politically sensitive Microsoft Word file remained available on an unnamed public site for over a week.

The department did not provide detail of the incident in order to contain the damage as much as possible, but appointed KPMG to review and report on the breach in order to avoid similar future events. The Privacy Commissioner has also separately been investigating the leak.

In a report released by the department late yesterday, KPMG revealed that significantly more people accessed the document than previously stated, despite comments by the department late last month that the document had only been downloaded 26 times.

KPMG revealed there had been 123 hits on the file from 104 unique IP addresses, and it was “likely” each address had access to the personal information contained within.

The firm withheld specific information on who had downloaded the documents to protect affected detainees, but said it had been accessed by media organisations, Australian Government agencies, internet proxies, the TOR network and web crawlers.

KPMG found that a number of checks and balances relating to web publishing had not been met during the approvals process for the document, which was conducted by staff inexperienced in what to look out for in terms of IT security, and who focused on the hardcopy version of the document rather than the electronic version.

The auditor said the process had been expedited in order to meet a short deadline, and had been handled by staff members unfamiliar with certain Microsoft Word functions and unaware of IT security risks associated with online publishing.

It recommended a number of fixes to avoid a repeat of the incident, including developing a process to normalise and cleanse data being extracted for analysis in a secure environment; updating online publishing quality assurance checklists; holding online publishing workshops with all those involved in the creation of material that may be published online; and developing an IT security training program for all those handling private or sensitive data.

“The department has taken action to implement the recommendations in that report and ensure that this sort of incident does not happen again. The department deeply regrets inadvertently allowing unauthorised access to personal information,” Immigration said in a statement on its website.