[BreachExchange] Home affairs data breach may have exposed personal details of 700, 000 migrants

[Destry Winant]

https://www.theguardian.com/technology/2020/may/03/home-affairs-data-breach-may-have-exposed-personal-details-of-700000-migrants

Privacy experts have blasted the home affairs department for a data
breach revealing the personal details of 774,000 migrants and people
aspiring to migrate to Australia, including partial names and the
outcome of applications.

At a time the federal government is asking Australians to trust the
security of data collected by its Covid-Safe contact tracing app,
privacy experts are appalled by the breach, which they say is just the
latest in a long line of cybersecurity blunders.

The department’s SkillsSelect platform, hosted by the employment
department, invites skilled workers and business people to express an
interest in migrating to Australia.

Expressions of interest are stored for two years and displayed on a
publicly available app, advertised on the home affairs website,
allowing them to receive invitations for skilled work visas.

With just two clicks, users of the app can view a range of fields
including the applicants’ “ADUserID”, a unique identifier composed of
partial name information and numbers.

Searches by Guardian Australia revealed the public database contained
774,326 unique ADUserIDs and 189,426 completed expressions of
interest, searchable as far back as 2014.

Other information available includes the applicants’ birth country,
age, qualifications, marital status and the outcome of the
applications.

By applying multiple filters, a user could narrow down an expression
of interest to a single entry, revealing the other details of the
applicant.

 Screenshot from SkillSelect app taken on 30 April, 2020 showing
ADUserID information.

Monique Mann, an Australian Privacy Foundation board member, told
Guardian Australia the breach was “very serious … especially at a time
where the Australian government is expecting trust”.

Mann said the information was “comprehensive” and it was “absolutely
ludicrous” after academic work by Vanessa Teague and others on the
re-identification of health data that the department would make
available “information that doesn’t even need to be re-identified, it
is contractions of people’s names”.

Mann accused the federal government of a “consistently poor track
record that shows that we cannot trust them with our personal
information” – citing “blunders” including the My Health Record,
robodebt and 2016 census.

Teague, privacy academic and chief executive of Thinking
Cybersecurity, said the presence of ADUserIDs “looks like a stuff-up”.

“It certainly looks like if you had a hypothesis about who had applied
you could guess their UserID,” she said.

“If you can use this to pin down a specific person that you’re
thinking about and from that understand what they had entered into
certain categories, then that is a way to extract information you
might not already have known.”

When Guardian Australia contacted the home affairs department,
responsible for SkillsSelect, and the employment department, which
hosts the app on its domain, the platform was taken offline. It is
“currently undergoing maintenance”.

Advertisement

Mann said it was a further concern the department had not identified
the breach itself.

“What processes of auditing and oversight are occurring within
department of home affairs?

“This department is responsible for policing, border protection and
intelligence. You would expect a greater level of information security
than this.”

Anna Johnston, the principal of Salinger Privacy, said Australia’s
breach notification scheme requires Australian government agencies to
notify the privacy commissioner and affected individuals, of any data
breach which is “likely to result in serious harm”.

“A failure to notify an eligible data breach can be grounds for a
person to make a complaint or for the [office of the information
commissioner] to issue a penalty,” she said.

The employment department said it merely “supports [the department of
home affairs] by delivering the IT solutions for this program”.

“In line with the Australian government public data policy statement,
[the departments] collaborated in early 2020 to make available a
report which informs the public about the take-up and general
characteristics of applications received through the SkillSelect
program.

“This report does not display any personal information and focuses
primarily on the number of applications received by each occupation
code and geographic region.”