Data from an Excel spreadsheet containing 9,250 asylum seekers’ personal information was mistakenly embedded in a Word document published online.
Following a data breach in February 2014 that exposed the personal details of almost 10,000 asylum seekers in Australia, an investigation by the Office of the Australian Information Commissioner (OAIC) has determined that the country’s Department of Immigration and Border Protection (DIBP) “unlawfully disclosed personal information.”
The investigation also found that the DIBP “breached the Privacy Act by failing to put in place reasonable safeguards to protect the personal information it held against loss, unauthorized access, use, modification or disclosure and against other misuse.”
According to the OAIC report, the breach could have been avoided had DIBP staff better understood the need for careful management of embedded data in documents made available online.
When the DIBP published a document on its website containing statistical information on asylum seekers on February 10, 2014, an Excel spreadsheet containing approximately 9,250 asylum seekers’ personal information was mistakenly embedded in the Microsoft Word version of the document.
The information, which was available on the DIBP website for about eight and a half days, included asylum seekers’ names, genders, citizenships, birthdates, periods of immigration detention, locations, boat arrival details, and reasons why each individual was deemed to be unlawful.
“The Commissioner found that the data breach was caused by the failure of a number of Departmental policy documents to adequately mitigate against the known risk of embedded data,” the OAIC report states. “This included the failure of DIBP to make Departmental staff aware of the risk of embedded data. These failures led to the errors by Departmental staff who created and cleared the Detention report.”
According to the report, the DIBP staff who created the report “copied charts and tables directly from the Microsoft Excel spreadsheet, resulting in the underlying data being embedded in the Microsoft Word version of the Detention report. This was contrary to the relevant Departmental policy, which stated that graphs should be copied and pasted as pictures into Microsoft Word documents.”
Still, the OAIC report found that the departmental policy didn’t include information on why copying and pasting graphs as pictures was necessary. “If DIBP had explained the reason for this direction, staff may have better understood the risks of embedded data and why this instruction was necessary,” the report states.
“Similarly, the Commissioner found that had DIBP appropriately trained Departmental staff involved in the creation of the Detention report to understand the risks of embedded data and how those risks could arise, and in how to copy and paste graphs as pictures, the staff may have avoided making the error,” the report adds.
It’s a common problem — an Enterprise Management Associates survey recently found that more than 56 percent of employees at organizations ranging from fewer than 100 employees to more than 10,000 haven’t received any security awareness training at all.
A recent eSecurity Planet article offered advice on how to offer security awareness training that works, including two tips that could have helped the DIBP prevent this breach: explain why security policies are needed, and show users specific examples of security no-nos.
Guardian Australia notes that while the OAIC has now closed its investigation, 1,600 individual complaints relating to the breach will still have to be resolved separately.