[BreachExchange] Immigration's 2014 data breach has cost it almost $1m so far

[Audrey McNeil]

https://www.itnews.com.au/news/immigrations-2014-data-
breach-has-cost-it-almost-1m-so-far-468274

A damaging 2014 data breach at the Department of Immigration that saw the
personal details of 9250 asylum seekers exposed online has cost the agency
almost $1 million in legal fees so far, but those costs are expected to
rise.

In its reponse to questions on notice from the May budget estimates
hearings, the department revealed $955,330 had been spent on external legal
services to manage matters resulting from its 2014 breach.

In February of that year the department accidentally published a database
of sensitive information including full names, nationalities, dates of
birth, gender, and boat arrival dates of all individuals held on Christmas
Island and in a mainland detention facility.

The data was accessible on the Immigration website for nine days, and
cached on an archived search engine for around two weeks.

The bungle occurred because Immigration staff copied charts and tables
directly from a Microsoft Excel spreadsheet used to generate statistics for
the report, resulting in the underlying data being embedded in the final
Word version.

Privacy commissioner Timothy Pilgrim subsequently found Immigration had
breached its obligations under the nation's Privacy Act.

The breach contributed to a significant rise in the number of individual
privacy complaints received by the OAIC in that year, as well as a slew of
lawsuits from asylum seekers who claimed to be more vulnerable to
persecution in their home countries because of the breach.

Immigration told the budget estimates committee current and potential
future legal action from these individuals could push its costs from the
breach higher.

"Given the varying scope and nature of the legal matters that remain on
foot, including any appeal right the parties involved will have available
to them at the conclusion of those matters, the department is unable to
provide an estimate of the costs that may be incurred in finalising all
matters related to the 2014 data breach," it said.

The agency reported seven data breaches to the Privacy Commissioner in
2015-16 - its highest number in the last five years - and has reported
three breaches so far in 2017.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170713/cb76e210/attachment.html>