Serviceteam IT Security News
The home affairs and employment departments are investigating a data breach revealing the personal details of 774,000 migrants and people aspiring to migrate to Australia, despite playing down the seriousness of the breach.

On Sunday, Guardian Australia revealed the government’s SkillSelect app allowed users to see unique identifiers of applicants for skilled visas, including partial names, which could then be used through searches with multiple filters to reveal other information about applicants.

The employment department, which hosts the online platform, immediately took it down for maintenance but denied that the final reports generated by searches display personal information.

It did not deny that 774,326 unique identifiers known as ADUserIDs that were visible while conducting searches were composed of parts of users’ names.

Other information stored on the platform includes the applicants’ birth country, age, qualifications, marital status and the outcome of the applications.

On Monday a spokesman for the Office of the Australian Information Commissioner told Guardian Australia the notifiable data breach scheme requires that an agency that “suspects an eligible data breach may have occurred must conduct an assessment … generally within 30 days”.

“In this instance, the department of home affairs has advised that [it] and the department of education, skills and employment are investigating the matter,” he said.

“Under the scheme, if an agency or organisation forms a belief that there has been an eligible data breach, they must notify affected individuals if there has been unauthorised access to, loss, or disclosure of personal information that is likely to result in serious harm. They must also notify the OAIC.”

The SkillsSelect platform invites skilled workers and business people to express an interest in migrating to Australia.

Expressions of interest are stored for two years and displayed on a publicly available app, allowing them to receive invitations for skilled work visas.

Searches by Guardian Australia revealed the public database contained 774,326 unique ADUserIDs and 189,426 completed expressions of interest, searchable as far back as 2014.

By applying multiple filters, a user could narrow down an expression of interest to a single entry, revealing the other details of the applicant.

At a time the federal government is asking Australians to trust the security of data collected by its Covidsafe contact tracing app, privacy experts are appalled by the breach, which they say is just the latest in a long line of cybersecurity blunders.

Monique Mann, an Australian Privacy Foundation board member, told Guardian Australia the breach was “very serious … especially at a time where the Australian government is expecting trust”.

Mann said the information was “comprehensive” and it was “absolutely ludicrous” after academic work by Vanessa Teague and others on the re-identification of health data that the department would make available “information that doesn’t even need to be re-identified, it is contractions of people’s names”.

Source: The Guardian

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!