The Australian immigration department has come under fire after it was revealed that a member of staff accidentally exposed the personal details of 31 world leaders attending last November’s G20 summit.
The hapless employee sent an email containing the information to the organizers of the Asian Cup football tournament, ahead of the Brisbane summit, according to The Guardian.
The breached information included names, dates of birth, passport numbers, and visa grant numbers, according to an urgent email sent from the country’s visa chief to the Australian privacy commissioner on 7 November, and obtained by the paper through a FoI request.
Barack Obama, Angela Merkel, Xi Jinping, David Cameron and Vladimir Putin were among the world leaders whose sensitive information was exposed. However, the Australian government controversially decided not to inform any of those affected.
“Given that the risks of the breach are considered very low and the actions that have been taken to limit the further distribution of the email, I do not consider it necessary to notify the clients of the breach,” the email noted.
The privacy gaffe apparently took place when an immigration department employee “failed to check that the auto-fill function in Microsoft Outlook had entered the correct person’s details into the email ‘To’ field.”
Tony Pepper, CEO of Egress Software Technologies, argued that the breach should have been disclosed immediately.
“Encryption solutions are available that enable multi-faceted authentication (ensuring only the correct recipient can access highly sensitive information) as well as the ability to restrict what a recipient can do with received information or, if the worst does happen, revoke that access altogether,” he added.
“Mistakes happen; it's a fact of life. Yet organizations need to ensure they give employees the right tools to work securely, while also providing a safety net should mistakes happen. Otherwise we will continue to see breaches of this kind.”
Egress made a FoI request of its own last December and found that in Q1 2014, a whopping 93% of data breach incidents reported to the UK’s ICO were down to human error and poor processes rather than technical failings.