Former Social Services Minister Christian Porter
The Department of Social Services initially decided not to inform employees of a major privacy breach last year that exposed the personal data of 8,500 current and former staffers, reasoning that it would cause unnecessary concern.
Last year DSS notified current and former employees that personal information held on the department’s credit card management system had been compromised due to a misconfigured sever operated by a contractor. The exposed information, dating from 2004 to 2015, included credit card details, employee names, work emails, system passwords, Australian government service numbers and other employment details.
But after obtaining departmental emails under freedom of information laws, Crikey can reveal that the DSS at first determined to conceal the security lapse from its employees, before changing its mind.
Get Crikey FREE to your inbox every weekday morning with the Crikey Worm.
In an email sent on October 24 last year, three weeks after the breach became known, DSS official Scott Dilley told Australian Information Commissioner Timothy Pilgrim that the department had judged the risk of “further privacy infringement” and “serious harm to individuals” to be low, and that there were “limited additional measures available to individuals to mitigate the potential harm”.
“Given this, notification of affected current or former employees could lead to undue anxiety and desensitisation to future necessary notifications,” Dilley wrote. “The department will continue to monitor the risk of harm to individuals, with consideration to the extent of further notification.”
On November 2, an unnamed DSS official wrote to the privacy watchdog to inform it that the department had in fact begun notifying current and former employees, following “risk monitoring” of the situation. It is unclear what sparked the reversal, or if the department was directed to alter its stance. DSS did not respond to a request for comment, while the Office of the Australian Information Commissioner declined to answer if it had led the change, referring Crikey to general guidelines on its website.
The OAIC informed DSS on November 17 that it would not be pursuing further action over the incident, in light of the department’s steps to secure the compromised data, identify the root cause of the breach and notify those affected. OAIC guidelines from 2014 advise that agencies should decide whether or not to notify parties affected in a privacy breach on a “case-by-case basis”, adding that drawing attention to “low risk breaches can cause undue anxiety and desensitise individuals to notice”. From this month, however, the OAIC will oversee a mandatory notification scheme for all personal data breaches considered likely to result in “serious harm.”
In its disclosure to the OAIC, DSS insisted there was no evidence that any personal data or department credit cards had been misused, and stressed that the security lapse was not the result of its own severs.
Social Services Minister Christian Porter ordered an internal investigation into the incident following media reports in November.
The breach followed a number of high-profile privacy lapses involving government departments last year, including the illicit selling of Medicare details by vendors on the dark web.