[BreachExchange] Confidential details of entire WA Police Force accessed in 'startling' audit breach, CCC finds

Destry Winant destry at riskbasedsecurity.com
Fri Apr 24 10:07:20 EDT 2020


A corruption investigation has revealed a staff member in the office
that audits every WA government department accessed and downloaded
highly confidential information about all of the state's 8,800 police

The information included the officers' names and addresses and was
labelled a "startling" revelation by the state's corruption watchdog.

The Corruption and Crime Commission (CCC) tabled a report in State
Parliament today outlining how the staff member at the Office of the
Auditor General (OAG) stored the information on a spreadsheet on a
laptop computer for years after completing an audit of the WA Police

The report said there was no evidence the police data was shared, but
that did not lesson the seriousness of the incident.

"The misconduct risk is real and its value to organised crime could be
immense," the report said.

Payroll details of audit staff accessed

The incident was not the only one uncovered by the CCC.

The investigation also found two staff members who were both certified
practising accountants were able to access confidential information,
including the payroll details and bank accounts, of other OAG workers,
including the auditor-general herself.

The report said the information the man accessed included the
auditor-general's credit card statement and records of her meeting
notes with other government department heads.

Some of the material was found collated in a document folder on his
personal computer.

"His consistent explanation was that the information was available to
everyone to see and he did not think it was inappropriate at that
point in time," the report found.

"That explanation is difficult to accept."

The CCC said it accepted the staff member was "under extreme stress
due to issues of a personal nature" at the time, and that he had not
acted with a corrupt intention.

But it said his actions illustrated the serious misconduct risk that
existed when confidential information was stored without proper
controls and restrictions on access.

Storage device deliberately destroyed: CCC

A finding of serious misconduct was made against one auditor who the
CCC found deliberately destroyed a portable storage device when he was
asked to return it.

He claimed he did what he did because he was angry at the time, but
the watchdog said "there [was] another more sinister explanation

"[He] destroyed the IronKey because he did not want an examination of
what had been stored on it, what had been done with the data from it,"
the report found.

"The Commission is unable to determine whether the true purpose was:
anger, concealment, or something else.

"Regardless [he] acted to destroy the IronKey in order to cause a
detriment to the OAG, both by loss of the device itself … and the data
it held (which is unknown and therefore immeasurable)."

The CCC described all the revelations as "startling".

"OAG has independence of action and is responsible for auditing the
finances and actions of all departments of government, state and
local," the report said.

"It should be trusted to keep information confidential."

In its response to the CCC, the OAG said it took immediate remedial
action after the incidents were uncovered.

But the CCC recommended all public authorities consider reviewing
their policies on how they secured confidential information and that
they ensured regular internal checks were conducted to identify and
deter unauthorised access and disclosures.

More information about the BreachExchange mailing list