[BreachExchange] Victorian Education dept accidentally publishes parent and student details online

Audrey McNeil audrey at riskbasedsecurity.com
Wed Apr 12 14:02:38 EDT 2017


http://www.zdnet.com/article/victorian-education-dept-
accidentally-publishes-parent-and-student-details-online/

The Victorian Department of Education has revealed that it accidentally
published the personal details of up to 115 families who made submissions
on proposed regulations for state schools.

According to the department, around 500 submissions were uploaded and
published on its website on Friday, and remained online until Saturday.

Among the parents whose information was published included a domestic
violence victim, as well as a parent who detailed how their dyslexic child
is now being home schooled due to a history of self-harming, according to a
report by The Age.

The Victorian Department of Education said it is "deeply sorry" for
publishing the details online, but has not said how the breach of privacy
occurred.

"The department took immediate action to take the submissions down as soon
as the breach was discovered," a department spokesperson said in a
statement on Wednesday.

"We understand the seriousness of this incident, and we are contacting
those affected to apologise directly.

"We are commissioning an independent investigation to determine what went
wrong, and to recommend steps to prevent it from happening again."

The department is now working with Google to remove all cached versions of
the submissions -- some of which were still online as of 2pm on Wednesday.

This is not the first time an Australian government department has
accidentally published personal details; back in 2014, the Department of
Immigration and Border Protection (DIBP) accidentally published the details
of almost 10,000 asylum seekers, including their full names, dates of
birth, genders, nationalities, periods of immigration detention, locations,
boat arrival information, and the reasons why an entrant was classified as
having travelled into Australia "unlawfully".

The information was available on the DIBP's website for just over eight
days, remaining on its archive site for 14 days, and was accessed 123 times
from 104 IP addresses before being pulled down. A report by the Office of
the Australian Information Commissioner at the time found that this
constituted a breach of the Privacy Act.

The breach had occurred due to a DIBP staff member copying and pasting a
Microsoft Excel chart into a Word document, with the underlying data
rendering the chart in Excel then embedded in the Word document.

During the 2014 G20 summit in Brisbane, the passport numbers, visa details,
and dates of birth of leaders attending -- including those of former United
States President Barack Obama and Russian President Vladimir Putin -- were
also accidentally emailed to a member of the Asian Cup Local Organising
Committee.

Two reports into the 2016 Census debacle since then have also called the
government out on its IT incompetence, after the eCensus application fell
over during a series of distributed denial-of-service (DDoS) attacks last
year that put Australians' personal details at risk.

In an effort to legislate around informing Australians of when their
privacy has been breached, the federal government finally passed data
breach notification laws during its third attempt in February.

Under the Privacy Amendment (Notifiable Data Breaches) Act, people will in
the near future begin to be alerted of their data being inappropriately
accessed.

The legislation is restricted to incidents involving personal information,
credit card information, credit eligibility, and tax file number
information that would put individuals at "real risk of serious harm".

Notification laws would only apply to companies covered by the Privacy Act,
and would exempt intelligence agencies, small businesses with turnover of
less than AU$3 million annually, and political parties from needing to
disclose breaches. E-health providers are still subject to the mandatory
data breach notification scheme under the My Health Records Act.

Upon a qualifying breach or on reasonable grounds to believe that a serious
data breach has occurred, the impacted entity would need to notify the
Australian Information Commissioner and affected individuals. In cases
where it is not certain a breach has occurred, the entity has 30 days to
investigate whether notification is needed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170412/17ce7698/attachment.html>


More information about the BreachExchange mailing list