2 Nov 2017
The personal details of up to 50,000 Australians — including some credit card numbers and salaries — have been mistakenly posted online by a contractor, in one of the biggest data breaches to date.
- Data at risk belongs to staff from AMP, Rabobank, Finance Department, AEC, National Disability Insurance Agency
- Credit card details, full names, emails, expenses and payment details only pulled down in October
- Close to $10 billion worth of IT projects contracted out last year
The information, including full names, emails, expenses and payment details, was publicly available online until early October.
The breach, first reported by ItNews, was discovered by a Polish security researcher who searched for data that should have been protected online.
Close to 25,000 credit card transactions of staff at insurer AMP were disclosed by the contractor, which has not yet been named.
The Finance Department, the Australian Electoral Commission and the National Disability Insurance Agency have also been compromised.
An AMP spokesman confirmed a, “limited amount of company data related to internal staff expenses was inadvertently stored in a publicly available cloud service”.
“The mistake was quickly corrected once identified and the matter was investigated to ensure all data had been removed,” the spokesman told the ABC.
“No customer data was compromised at any time [and] we are reviewing the situation to ensure standards are maintained.”
Dutch multinational Rabobank confirmed some of its employee data was breached and that an investigation had been launched.
A spokeswoman for the bank said no client information or staff salaries and credit cards were disclosed.
A spokesman from the Department of Prime Minister and Cabinet said the breach did not include national security data or classified material.
“The data exposed was historical, archived and partially anonymised data,” the spokesman said.
“It contained limited personally identifiable information of government employees such as work email addresses, and in some cases Australian Government Service numbers and corporate credit card details.
“The departments involved have been notifying affected staff and working to give them appropriate support.”
The Government agencies have been working with the Australian Cyber Security Centre and the Information Commissioner to “develop an appropriate response to the breach”.
The Federal Government has been increasingly outsourcing its IT projects to contactors who are winning close to $10 billion in contracts each year.
The spiralling costs — up from $5.9 billion in 2012-13 — have not always resulted in better outcomes for the public and there are concerns about data being properly managed.
This breach comes a year after the personal data of 550,000 blood donors, that included information about “at-risk” sexual behaviours, was leaked from the Red Cross Service.
Just last month, a Government contractor lost a 1,000 page manual on future security arrangements at Parliament House.
‘This is a serious breach’
The Australian Cyber Security Centre and the Minister Assisting the Prime Minister for Cyber Security, Dan Tehan, have been contacted for comment.
Labor’s digital economy spokesman, Ed Husic, said the Government should have reported the breach before it was exposed by the media on Thursday.
“The Government cannot claim that it is not to blame for the actions of a contractor. Ultimately the buck stops somewhere,” he told the ABC.
“This is some really sensitive data that has been obtained from passwords to credit card details, 50,000 Australians across Government and banks.
“This is a serious breach and the Government should treat it seriously.”