Showing posts with label data. Show all posts
Showing posts with label data. Show all posts

Wednesday, 17 January 2018

Things you should know if you are logging on to a website using your Facebook account

Facebook for developers

The Daily Telegraph, 5 January 2018:

Ian Cox of said: “If you’ve ever pressed ‘Login with Facebook’ on a website, you’re giving Facebook permission to share sensitive data with the site you are visiting.

“This includes, for example, your personal email address, where you live, where you work, details about your relationship, places you have recently been and who you’re friends with.

“In today’s digital age, people are sharing just about everything on social media sites like Facebook. But most are unaware of just how much can be seen by brands, businesses and, in some cases, criminals.

“The best way to stay protected online is to only share what you would be happy with the whole world seeing.

“As tempting as it may be to rejoice about the fact that the whole family is going on a weekend away, keep in mind that you may be inadvertently letting criminals know that your house is empty during this time.”


* Your public profile (name, age, gender, location, profile picture, timezone)
* All your likes
* Your friends
* Where you are now
* Your email address
* Your photos
* Your “about me” section
* All your posts
* Your birthday
* Your relationship details
* Your education history
* Your religion/politics
* Events you’ve been to
* Your work history
* Where you are from
* Your phone number

Friday, 15 December 2017

Crime trends in the Clarence Valley October 2007 to September 2017

In the ten years between October 2007 and September 2017 crime trends in the Clarence Valley Local Government Area have remained numerically and statistically small in 5 crime categories covering murder and violent robbery.

While crime trends remain stable in 6 crime categories (assault unrelated to domestic violence, sexual assault & other sexual offences, stealing from a car and stealing from a store ) and fallen in another 4 crime categories (stealing motor vehicles and break, enter dwellings & non-dwellings and malicious damage).

Crime trends have only risen in 2 out of 17 commonly listed crime categories over these ten years – Fraud up 10.5 per cent & Assault –Domestic Violence Related up 3.6 per cent.

October 2007 to September 2017
Fraud, Clarence Valley Local Government Area
Statistically significant Upward trend over the 120 month period.
The average annual percentage change was: 10.5%

October 2007 to September 2017
Assault - domestic violence related, Clarence Valley Local Government Area
Statistically significant Upward trend over the 120 month period.
The average annual percentage change was: 3.6%

Other crimes that are often mentioned whenever the subject of crime arises.

October 2007 to September 2017
Sexual assault, Clarence Valley Local Government Area
No statistically significant upward or downward trend over the 120 month period.

October 2007 to September 2017
Indecent assault, act of indecency and other sexual offences, Clarence Valley Local Government Area
No statistically significant upward or downward trend over the 120 month period.

October 2007 to September 2017
Break and enter - dwelling, Clarence Valley Local Government Area
Statistically significant Downward trend over the 120 month period.
The average annual percentage change was: -5.5%

October 2007 to September 2017
Motor vehicle theft, Clarence Valley Local Government Area
Statistically significant Downward trend over the 120 month period.
The average annual percentage change was: -4.2%

October 2007 to September 2017
Malicious damage to property, Clarence Valley Local Government Area
Statistically significant Downward trend over the 120 month period.
The average annual percentage change was: -5.9%

As for drug and alcohol offences in the Clarence Valley Local Government Area (est. resident population 51,367), the data collected over the ten year period revealed that cannabis cultivation was stable but possession and use of cannabis had risen over that period. While possession and use of cocaine, ecstasy,narcotics and other drugs was numerically small and statistically insignificant over those same ten years.

Click on images to enlarge

Selected crimes across 17 major crime categories.

NSW Bureau of Crime Statistics and Research Crime Trends Interactive Tool to create graphs and tables for other NSW local government areas.

Friday, 24 November 2017

Can anyone believe anything Australian Human Services Minister Alan Tudge and his motley crew say?

The New Daily,  21 November 2017:

The Department of Human Services flagged the illegal sale of Medicare details on the dark web almost a fortnight before the illicit trade was exposed in a bombshell media report, The New Daily can exclusively reveal.

Internal emails, obtained under freedom of information laws, reveal that department officials discussed the security issue as early as June 22 – nearly two weeks before revelations that Medicare numbers were being sold online.

On July 4, The Guardian revealed that a dark web vendor was advertising the sale of any Australian’s Medicare number for the bitcoin equivalent of just $22 after exploiting a government system vulnerability.

In the wake of the revelations, Human Services Minister Alan Tudge said that he and his department had only learned of the illicit trade when contacted by a Guardian journalist on July 3.

However, high-priority correspondence within DHS shows that senior officials discussed the trade on the dark net, which is only accessible through a customised browser, nearly two weeks before it made the news.

On June 22, Rhonda Morris, national manager for serious non-compliance, raised the issue with Kate Buggy, national manager for internal fraud control and investigations, and Mark Withnell, general manager of business integrity, as well as several unnamed officials.

In a later email on July 3, Mr Withnell apparently connected The Guardian’s inquiries to the department’s earlier discussions on the issue, writing to colleagues: “This is the one I was mentioning last week.”

It is unclear exactly what DHS knew about the sale of Medicare details on the dark web prior to July’s media report.

Citing exemptions related to law enforcement and criminal investigations, the department redacted most of the content of the emails released to The New Daily.

It refused to release numerous other related emails entirely.

A DHS spokesman denied the department had knowledge of a specific breach in June and said its internal discussions had only related to general matters……

In September, DHS told the Senate that as many as 165 people may have had their Medicare numbers sold to unknown parties, although there had been no unauthorised access of any Australian’s health records.

Last month, a seperate review commissioned by the department recommended beefing up the authentication procedures required to access the online database used by healthcare professionals.

Although the AFP is continuing to investigate the source of the breach, the government has said it was likely the result of “traditional criminal activity” rather than a cyber attack.

In February, DHS was embroiled in controversy after it released the personal information of a Centrelink recipient to a journalist in order to diffuse claims she made in the media.

Thursday, 19 October 2017

So troubled multinational Serco's staff are going to answer phone calls made to Centrelink in a Turnbull Government pilot program?

Multinational Serco Group plc registered in England and Wales, with revenue in 2016 of an est. $5 billion and an underlying trading profit of est. $139 million, has made the news again.

One of its subsidiaries, SERCO CITIZEN SERVICES PTY LTD1 ABN:89 062 943 640, won this $53.75 million federal government contract commencing 7 September 2017:

CN ID: CN3460117
Agency: Department of Human Services
Publish Date: 11-Oct-2017
Category: Temporary personnel services
Contract Period:
7-Sep-2017 to 29-Oct-2019
Contract Value (AUD): $53,752,454.80
Description: Centrelink Call Centre Enhancements Initiative

On 11 October 2017 it was reported that the Minister for Human Services Alan Tudge stated this contract was for a pilot commencing in late October 2017 would help reduce Centrelink call wait times.

An est. 250 Melbourne-based Serco staff will take calls about welfare payments in the three-year pilot program.

Of course Serco will comply, Minister.

Just as it has on every single contract in the past......

Stolen Laptop Exposes Personal Data on 207,000 Army Reservists. Serco held the data on reservists as part of its contract with the U.S. Army’s Family and Morale, Welfare and Recreation division. As a result, Dahms said, some of the data on the missing laptop may belong to dependents and spouses of U.S. Army reservists, 13 May 2010

Serco's paper trailer raises accountability questions. Crikey has taken a closer look at the extent that Serco contracts outsources to other companies and can reveal that millions of dollars from the detention contract has ended up in some startling places, 1 November 2010

Serco employee suspected of Victoria Police breach. Man accused of adjusting 67,541 traffic infringement records, 15 April 2011

Serco operates and maintains a surprisingly large and diverse range of services in both the UK and Australia, as well as in several other countries. Its website lists some examples of the scale of its operations including: traffic management systems covering more than 17,500kms of roads worldwide, managing 192,000 square miles of airspace in five countries, managing education authorities on behalf of local governments, and providing defence support services worldwide.[2] Serco also manages a number of hospitals, prisons and detention centres, and is involved in a host of other services.[3]…..Focussing on the company Serco, there have been numerous reports of instances where its service provision has been sub-standard, high-cost, has eliminated diversity, or has lacked accountability. Putting this focus on Serco’s faults is not to say that it is any more prone to failures than other corporations in this area, or that it is always unsuccessful in its service provision. Rather, the point is to show clearly the dangers of privatisation, and why it must not be accepted as a universal good, 7 March 2012

Sources in the justice system blamed the foul-up on staffing issues at Serco. One said: "This sort of thing happens every week." The seven-year PECS deal has turned into a horror show for Serco. It faces allegations that it doctored transfer records to flatter its performance, with five Serco staff under investigation by the City of London police. That is not its only problem contract. There are separate claims that, along with rival outsourcer G4S, it overcharged taxpayers on a deal to put electronic tags on criminals, 17 October 2013

Private contractors Serco has agreed to repay £68.5million to the taxpayer after over-charging for tagging criminals. The firm was investigated by the Ministry of Justice over claims that together with rival company G4S it over-charged for tens of thousands of criminals, including those who had left the country, been returned to prison or even died, 19 December 2013

Outsourcing giant Serco is embroiled in a fresh misuse of public funds scandal after a company it set up overcharged NHS hospitals millions of pounds, 27 August 2014

Serco is failing, but is kept afloat thanks to Australia's refugee policy. It’s a sign of the times that a company like Serco, with murky financial statements masking its true economic shape, is continually rewarded for failure by new and larger contracts, 11 November 2014

Serco turned 'blind eye' to corruption in UK immigration jail, court hears, 26 February 2015

Serco has brought a culture of profiteering, bullying, intimidation and corruption to Mt Eden prison, a Whangarei barrister says.The comments come as controversy surrounds the private company that operates the prison, and with Corrections boss Ray Smith revealing a third incident at the facility has left him no choice but to seek legal advice in regards to the contract, 24 July 2015

On Monday, Serco was fined $NZ500,000 ($A328,750) and was prohibited from overseeing operations at the correctional facility while an internal investigation took place. The fine came after six disturbing videos — shot on a smartphone and smuggled inside the prison — surfaced on YouTube earlier this month. The videos showed prisoners participating in organised ‘fight clubs’ as large groups of fellow inmates watch on. Inmates were also seen blatantly smoking and drinking alcohol in the videos, which were captured without the knowledge of staff. However, the NZ prison officers union said bosses knew about the fight club for up to 18 months, but did nothing about it, 29 July 2015

A GUARD at the Wickham Point Detention Centre in Darwin has been fired after it was found he was trying to coerce female detainees into having sex with him. Serco, the company contracted to run Australia’s immigration facilities, said in a statement to the NT News that a detainee services officer from Wickham Point was dismissed in late May following two separate complaints from female detainees, 6 August 2015

Serco targets further cost cutting as it seeks to keep its profits on track. Serco boss Rupert Soames has said the company still has costs to cut before it is trading at full strength, as the firm enters the middle stage of its five-year turnaround plan. He said that there were plans to further reduce overheads and make Serco’s processes more efficient, as well as bringing down some of its IT costs. “We’ve still got a lot of costs that we have to get out of the business,” he said, 3 August 2017.


1. Serco provides care and welfare services, on behalf of the Department of Immigration and Border Protection, to people living in Australian onshore immigration centres whilst their visa status is resolved. Since 2009, more than 61,000 individuals have been in our care, representing more than 20 different cultural and linguistically diverse communities. Within the Australian justice system, Serco operates three prisons: the Southern Queensland Correctional Centre (Queensland) with 400 beds, Acacia Prison (Western Australia) with 1400 beds and the Wandoo Reintegration Facility (Western Australia) with 80 beds.

Wednesday, 5 July 2017

Would you trust these men with your personal health information?

The darknet vendor says they are “exploiting a vulnerability which has a much more solid foundation which means not only will it be a lot faster and easier for myself, but it will be here to stay. I hope, lol.” [The Guardian, 4 July 2017]
Left to Right: Minister for Human Services and Liberal MP for Aston, Alan Tudge
& Minister for Health and Liberal MP for Flinders, Greg Hunt

These two federal politicians have portfolio responsibility for some of the largest government databases in Australia.

One has portfolio responsibility for those sensitive e-health records which are due to be rolled out nationally on an opt-out basis by 2020.

This is how secure your personal information is on their watch…….

The Australian Federal Police is investigating reports Australians' personal Medicare details are being accessed and sold on the dark web, an apparent breach that has been labelled an "internet catastrophe".

According to a Guardian Australia report, an online vendor can pull up the full Medicare card details of any Australian on request — and is selling them for around $30 each — indicating a security hole somewhere in the health system.

Human Services Minister Alan Tudge said the government was taking the matter seriously. 

The sales are reportedly listed on an undisclosed dark web marketplace, in which the vendor claims to be "exploiting a vulnerability" in order to run software that pulls the data. The vendor calls it "the Medicare Machine".

"Leave the first and last name, and DOB of any Australian citizen, and you will receive their Medicare patient details in full", the listing says, adding that the nature of the security hole being utilised means the vendor will be "here to stay".

In a statement, Mr Tudge said any authorised access to Medicare card numbers was "of great concern" and his department was also conducting its own investigation. 

Medicare's database was always a honeypot waiting to be exploited once governments embraced data matching, data retention and data sharing with much enthusiasm but little understanding.

Once someone decides they want your Medicare details ID theft is now just 0.0089 bitcoin away - as is your abusive former spouse/partner or that anonymous stalker or Internet troll that has been making your life a misery.


Anthony Baxter, 4 July 2017:

You supply the person with name, date of birth and gender and around $30 of Bitcoin they'll give you the person's Medicare number. This is pretty bad, as it allows idemtity thieves to forge them - a Medicare card is usually worth 25 points on the standard 100 point ID check here. The AU govt had no idea this was happening until the journo from The Guardian let them know.

It turns out there's a portal that any health care provider can use to look up Medicare numbers this way. In case you've lost your card or whatever. Likely it's someone who works for one of them selling access, or someone's popped a PC there (more on that to come).

When asked, the relevant government minister (the same guy who presided over the Census fuckup last year (update: I misremembered, that was a different clown), the accidental publishing of PBS data that was poorly deidentified and the ongoing Centrelink robodebt nightmare) claimed it's OK because you can't get access to someone's medical records through the shiny new online electronic health records system with just a Medicare number. Aside from ignoring the ID theft issue there's a liiiiiittle bit of an issue here.

Guess what information you need along with the Medicare number to pull someone's medical records? Did you guess "name, date of birth and gender"? Collect your prize.

According to the folks who did the Privacy Impact Assessment on the electronic health records system were told it would be secure because you needed Medicare number as well as name/DOB/gender and weren't told you could use the latter to look up the former.

It Gets Worse.

In theory you can only look up this stuff from a secure endpoint, with a client side certificate installed. Which in practice means maybe 20K PCs scattered across every doctors office in the country. Worse still, many of these client certs were originally sent out via unencrypted email, and a nontrivial number were "lost". And you reckon all or even a significant fraction of these 20K boxes are running modern Windows with up to date patches? Me neither. I can't count the number of times I've been left alone in a room with an unlocked doctor's PC while he went to check something.

It (Incredibly) Gets Even Worse.

They have a Two Factor Auth system which doctors are supposed to use. One of the ways to get the 2FA key is, and I wish I was joking here, email.

So get access to a box running some XP/Win7 version that's ludicrously unpatched that's also logged into the doctors email, collect health care records. Australian government cannot computer.

At the moment the electronic health records thing is opt-in, at some point next year they'll be moving to an opt-out scheme with a window to opt-out. There's an email form here where you can sign up to be notified when the window to opt the hell out is opened and I urge everyone to do so A


The federal government was warned more than three years ago of security deficiencies surrounding personal Medicare data, with the Department of Human Services told it was not fully complying with spy agency rules.

Questioning the department's ability to keep the data safe from "security threats from external and internal sources", the government auditor made a series of recommendations in April 2014 but it is unclear if they were fully implemented.

Monday, 26 June 2017

Can the CSIRO sink any lower?

“Collaborating with government. As a trusted adviser to government, our collaboration within the sector supports it to solve challenges, find efficiencies and innovate.” [CSIRO, Data61]

The Commonwealth Scientific and Industrial Research Organisation (CSIRO) is a federal government corporate entity ultimately responsible to the Australian Parliament.

It started life in the midst of global conflagration in 1916 and for most of its existence it was widely respected both in its country of origin and around the world.

Sadly that level of respect has been diminished in recent years as commercial imperatives saw it move away from its once proud boast that:

However, it had not yet become a low creature of right-wing political ideology.

Until now – when it appears willing to participate in enforcing punitive social policies, cynically presented in the guise of Budget measures by the Turnbull Coalition Government.

In particular, enabling the trial drug testing of income support applicants “based on a data-driven profiling tool developed for the trial to identify relevant characteristics that indicate a higher risk of substance abuse issues” which almost inevitably will target the poor and vulnerable.

Apparently the only matter holding the CSIRO back from full commitment to the trial is the matter of contract negotiations with the Dept. Of Social Security and/or Dept. of Human Services1.

The cost of this measure has reportedly been deemed by government to be “commercial-in-confidence”.

InnovationAus, 2 June 2017:

CSIRO has still not officially agreed to allow its Data61 analytics unit to become involved in the government’s highly contentious welfare drug testing program, a Senate estimates hearing has been told.

But the delay appears to be related to difficult contract negotiations – for which the research agency is well known – rather than the objections of staff or management to becoming involved in such a politically-driven program.

The Department of Industry, Innovation and Science and CSIRO appeared at the Senate estimates on Thursday morning.

The shocking concession that CSIRO has been in discussion to work on the drug-test project since April comes despite the organisation having specifically declined to confirm any knowledge of the project for weeks – let alone that it was actively negotiating a contract.

This is despite direct questions being put to CSIRO on multiple occasions for weeks.

The estimates hearing also revealed that Data61 has been called into the controversy plagued Social Services robo-debt project that has mistakenly matched debt to welfare recipients.

CSIRO digital executive director David Williams told shadow industry minister Kim Carr that while CSIRO was approached by the Social Services department about the welfare drug testing scheme in late April – less than a month before its involvement was prematurely announced by Cabinet Minister Christian Porter – it is still yet to officially sign on to the project.

“The Department of Social Services approached CSIRO in early April, wanting to implement a trial involving activity tested income support recipients across a small number of geographical areas,” Mr Williams told senate estimates.

“They asked for Data61’s support in doing the analysis to see whether predictive analytics could help them in that task.”

“Since that time we’ve been talking with the department, and scoped out a statement of work and we’ve looked at how we can implement that work should we sign a contract and proceed. At this moment we’re working through the procedures inside CSIRO.”


1. The CSIRO already has a business relationship with the Australian Department of Human Services (DHS). Commencing in February 2017 the CSIRO and/or CSIRO Data61 conducted a Review of Online Compliance Systems, as well as supplying Specialist Data Science Services and Selection Methodologies Advice to the department. See;

Tuesday, 22 November 2016

Have an Optus, Vodaphone or Telstra mobile phone account? Your personal details may be on sale in Mumbai

The Sydney Morning Herald, 16 November 2016:

Corrupt insiders at offshore call centres are offering the private details of Australian customers of Optus, Telstra and Vodafone for sale to anyone prepared to pay.

A Fairfax Media investigation can reveal Mumbai-based security firm AI Solutions is asking between $350 and $1000 in exchange for the private information, but even more if the target is an Australian "VIP, politician, police, [or] celebrity".

AI Solutions is just one of potentially several private companies selling phone records, home addresses and other private details of Australian telecommunication company customers. They in turn have received the information from employees of the call centres used widely by Australian businesses.

Security industry sources said the practice has been long-standing. AI Solutions has told customers it has sold people's personal data for several years.

Optus has called in the federal police to investigate the data breach after it was contacted by Fairfax Media.

Optus, Telstra - which is holding an investor briefing in Sydney on Thursday - and Vodafone have stressed they are aware of the problem and have invested heavily in security procedures to counter it.

The revelation underscores the risks facing Australian consumers and businesses as a vast amount of personal or private data is collected and often stored offshore by service providers, financial institutions and government agencies.

It also raises fresh concerns about risks faced in using offshore call centres, where it may be more difficult to ensure data security.

AI Solutions actively markets its services to prospective Australian clients via an Indian businessman who uses the name Imran Khan. It is unclear if this is a false name.

But Fairfax Media has confirmed that AI Solutions has previously, and on numerous occasions, sold Australians' personal data to third parties.

It recently wrote to a Melbourne corporate intelligence and security company, boasting that it has a "long list" of Australian clients buying data from the offshore call centres.

"There are … 3 major telecom numbers details I can provide you. Telstra, Vodafone and Optus," the Indian company's representative wrote in a text message to a prospective client seen by Fairfax Media.

The company charges $350 to provide a person's home address and charges $1000 for a "full extract". This includes a person's home address, date of birth, alternative phone numbers and "more than 1 years billing statements" and "calling data history".

"And for VIP, politician, police, celebrity, charges are different," one message said.

While the data being illegally sold will not contain the actual content of text messages or what has been said during phone calls, it does contain information about who a person has called, the location at which a call is made and other sensitive data and metadata.

This information could be of use to companies engaged in corporate spying or intelligence gathering, private investigators, marketing firms and organised criminals seeking to engage in identity fraud, or to locate people. It is possible that foreign intelligence services could also use the data theft service.

The Indian firm requests payment via Western Union or Money Gram remittance services……

The Australian Federal Police said it had spoken with Optus and Vodafone and had subsequently provided information to Indian authorities.

Office of the Australian Information Commissioner, media release, 17 November 2016:

Statement by the Australian Information and Privacy Commissioner, Timothy Pilgrim, on personal information of Australian telecommunication customers

17 November 2016

I am concerned about allegations that personal information of Australian telecommunication customers is being offered for sale online. My office is making enquiries with Optus, Telstra and Vodafone to determine what further action I may take in this matter.

These allegations, and the community response they have generated, are a reminder that Australian customers expect businesses to handle their personal information in line with Australian law no matter where they operate. 

If anyone has privacy concerns about this incident they can contact my office on 1300 363 992 or

Tuesday, 25 November 2014

What could possibly go wrong when the Abbott Government is creating Fortress Australia to protect us all from a veritable host of 'terrors'?

When the Abbott Government’s wider surveillance powers were passed by the Senate, the Australian public was being assured by both major parties that the sweeping ‘anti-terrorism’ legislation had built-in safeguards which would protect us all from over reach by intelligence agencies and police.

The good citizens of Tacoma in Pierce County, Washington, United States probably thought they were protected too. After all, didn’t the police need to get a warrant from a Superior Court judge?

The News Tribune article of 15 November 2014 shows just how easily a mockery can be made of surveillance laws:

Pierce County judges didn’t know until recently that they’d been authorizing Tacoma police to use a device capable of tracking someone’s cellphone.
Now they do, and they’ve demanded that police change the way they get permission to use their so-called cell site simulator.
From 2009 to earlier this year, the county’s Superior Court judges unwittingly signed more than 170 orders that Tacoma police and other local law enforcement agencies say authorized them to use a device that allows investigators to track a suspect’s cellphone but also sweeps cellphone data from innocent people nearby.
In August, the assistant chief of the Tacoma Police Department told The News Tribune that investigators never deployed the device — a cell site simulator, commonly known as a Stingray — without court authorization.
The newspaper since learned police never mentioned they intended to use the device when detectives swore out affidavits seeking so-called “pen register, trap and trace” orders allowing them to gather information about a suspect’s cellphone use and location…..
Neither the pen register orders nor the affidavits filed by law enforcement mentioned that police had a Stingray or intended to use it.
Instead, detectives used language commonly associated with requesting an order that would force a cellphone company to turn over records for a particular phone, and, where possible, the real-time location of the phone…..

The News Tribune 17 November 2014:
The Tacoma Police Department, which owns the Stingray, did not want to reveal it to the public. The FBI, which provided it, was leaning on the city to keep the technology secret. As a result, the judiciary that monitors investigations for constitutional abuses wasn’t aware of the kind of surveillance it was authorizing. However noble the motives, this was subterfuge….
But a Stingray — which employs technology known as cell site simulation — is so much more intrusive than conventional surveillance that it demands extra scrutiny. It pulls in cellphone transmissions from all callers in a given area and identifies the unique signatures of each phone…..
This could get spooky in a hurry. The Pierce County Superior Court now has another safeguard in place: Police must sign affidavits that they will not store data on people who are not targets of the investigation…..

Think this example of over reach is too far removed from Australia to matter? Think again…..

The Sydney Morning Herald reported on what is already occurring in Australia on 7 July 2014:

Australian federal and state police are ordering phone providers to hand over personal information about thousands of mobile phone users, whether they are targets of an investigation or not.
Fairfax Media has confirmed Australian law-enforcement agencies are using a technique known as a "tower dump", which gives police data about the identity, activity and location of any phone that connects to targeted cell towers over a set span of time, generally an hour or two.
A typical dump covers multiple towers, and mobile providers, and can net information about thousands of mobile phones.
The dumps are usually used in circumstances when police have few leads and can be a useful, powerful tool in tracking down criminals. But privacy advocates say that while they may be helpful to police, they also target thousands of innocent people and don’t have any judicial oversight.
In addition to no warrant being required to request a tower dump containing the mobile phone data of thousands of people to track down one or more criminals involved in a crime, privacy advocates also question what is being done to the data collected once an investigation is complete….

Wednesday, 19 November 2014

Australian Information Commission finds Department of Immigration and Border Protection unlawfully disclosed personal information of asylum seekers

Office of the Australian Information Commission, media release on Wednesday, 12 November 2014:

Department of Immigration and Border Protection unlawfully disclosed personal information of asylum seekers

The Department of Immigration and Border Protection (DIBP) has been found in breach of the Privacy Act 1988, by failing to adequately protect the personal information of approximately 9,250 asylum seekers. They have also been found to have unlawfully disclosed personal information.
The Office of the Australian Information Commissioner (OAIC) was notified by the Guardian Australia on 19 February that a ‘database’ containing the personal information of 'almost 10,000' asylum seekers was available in a report on DIBP’s website. DIBP removed the report from its website within an hour of being notified. The report was available on DIBP’s website for approximately eight and a half days.

The categories of personal information compromised in the data breach consisted of full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details, and the reasons why the individual was deemed to be ‘unlawful’.

‘This incident was particularly concerning due to the vulnerability of the people involved,’ said Australian Privacy Commissioner, Timothy Pilgrim.

The breach occurred when statistical data was mistakenly embedded in a Word document that was published on DIBP’s website. The report was accessed a number of times, and was republished by an automated archiving service.

Mr Pilgrim said that OAIC’s investigation found that DIBP was aware of the privacy risks of embedding personal information in publications, but that DIBP’s systems and processes failed to adequately address those risks. This meant that DIBP staff did not detect the embedded information when the document was created or before it was published.  

‘This breach may have been avoided if DIBP had implemented processes to de-identify data in situations where the full data set was not needed,’ he said.

This data breach also demonstrates the difficulties of effectively containing a breach where information has been published online, and highlights the importance of taking steps to prevent data breaches from occurring, rather than relying on steps to contain them after they have occurred.

‘I have made a number of recommendations about how DIBP could improve their processes, including requesting that they engage an independent auditor to certify that they have implemented the planned remediation. I have asked DIBP to provide me with a copy of the certification and the report by 13 February 2015’, Mr Pilgrim said.

The OAIC is still receiving privacy complaints from individuals affected by the breach. The OAIC has received over 1600 privacy complaints to date, and these complaints are on-going.

Media contact: Ms Leila Daniels 0407 663 968


As this breach occurred prior to 12 March 2014, the Privacy Commissioner’s powers under the Privacy Act 1988 were limited to making recommendations.