The personal details of world leaders at the last G20 summit
were accidentally disclosed by the Australian immigration department, which did
not consider it necessary to inform those world leaders of the privacy breach.
The Guardian can reveal an employee of
the agency inadvertently sent the passport numbers, visa details and other
personal identifiers of all
world leaders attending the summit to
the organisers of the Asian Cup football tournament.
The United States president, Barack
Obama, the Russian president, Vladimir
Putin, the German chancellor, Angela Merkel, the Chinese president,
Xi Jinping, the Indian prime minister, Narendra Modi, the Japanese prime
minister, Shinzo Abe, the Indonesian president, Joko Widodo, and the British
prime minister, David Cameron, were among those who attended the Brisbane
summit in November and whose details were exposed.
The Australian privacy commissioner was
contacted by the director of the visa services division of Australia’s
Department of Immigration and Border Protection to inform them of the data
breach on 7 November 2014 and seek urgent advice.
In
an email sent to the commissioner’s office, obtained under
Australia’s freedom of information laws, the breach is attributed to an
employee who mistakenly emailed a member of the local
organising committee of the Asian Cup – held in Australia in January – with
the personal information.
“The personal information which has been
breached is the name, date of birth, title, position nationality, passport
number, visa grant number and visa subclass held relating to 31 international
leaders (ie prime ministers, presidents and their equivalents) attending the
G20 leaders summit,” the officer wrote.
“The cause of the breach was human
error. [Redacted] failed to check that the autofill function in Microsoft
Outlook had entered the correct person’s details into the email ‘To’ field.
This led to the email being sent to the wrong person.
“The matter was brought to my attention
directly by [redacted] immediately after receiving an email from [the
recipient] informing them that they had sent the email to the wrong person.
“The risk remains only to the extent of
human error, but there was nothing systemic or institutional about the breach.”
The officer wrote that it was “unlikely that the information is
in the public domain”, and said the absence of other personal identifiers
“limits significantly” the risk of the breach. The unauthorised recipient had
deleted the email and “emptied their deleted items folder”.
“The Asian Cup local organising
committee do not believe the email to be accessible, recoverable or stored
anywhere else in their systems,” the letter said.
The immigration officer then recommended
that the world leaders not be made aware of the breach of their personal
information.
“Given that the risks of the breach are
considered very low and the actions that have been taken to limit the further
distribution of the email, I do not consider it necessary to notify the clients
of the breach,” she wrote.
The recommendation not to disclose the
breach to the world leaders may be at odds with privacy law in some of their
countries.
Britain, Germany and France all
have different forms of mandatory data breach notification laws that require individuals affected by
data breaches to be informed.
It is not clear whether the immigration
department subsequently notified the world leaders of the breach after the
initial assessment.
The office of the Australian immigration
minister, Peter Dutton, did not respond to questions.
Australia’s deputy opposition leader,
Tanya Plibersek, called on Tony Abbott to explain why the world leaders were
not notified of the breach.
“The prime minister and the immigration
minister must explain this serious incident and the decision not to inform
those affected,” she said.
Disclosure of the data breach is likely
to embarrass the Australian government after controversial
mandatory data retention laws were passed last week.
The passage of the laws – which require
telecommunications companies to store certain types of phone and web data for
two years – has been marked by concerns about the adequacy of privacy
safeguards by companies and government agencies that will handle the data.
The Greens senator Sarah Hanson-Young
said: “Only last week the government was calling on the Australian people to
trust them with their online data, and now we find out they have disclosed the
details of our world leaders.
“This is another serious gaffe by an
incompetent government.”
Australia’s immigration department was
also responsible for the country’s largest ever data breach by a government
agency.
In February 2014 the
Guardian revealed the
agency had inadvertently disclosed the personal details of almost 10,000 people
in detention – many of whom were asylum seekers – in a public file on its
website.
No comments:
Post a Comment