Over the course of the last five Australian financial years, the Department of Immigration and Border Protection (DIBP) has reported 18 data breaches to the Office of the Australian Information Commissioner (OAIC).
The year with the most breaches was 2015-16, with seven; followed by 2014-15, with five; and July 2016 to May 23, 2017, with three. The years 2012-13 and 2013-14 recorded two breaches and one breach, respectively.
The data was revealed [PDF] in response to Senate Estimates Questions on Notice, where the department also said it was not subject to a successful cyber attack over the same time period.
“There were many millions of unsuccessful, malicious cyber events targeted either directly or indirectly at Department of Immigration and Border Protection,” the department said [PDF].
An audit earlier this year by the Australian National Audit Office (ANAO) found the department to be lacking on the security front.
While capable of handling internal threats, the DIBP had “insufficient protection” against external threats, the ANAO said, and the department was under the belief that it was doing better than it was.
“The Department of Immigration and Border Protection’s self-assessments both reported compliance against three of the Top Four mitigation strategies,” the audit said.
“The ANAO assessed that … the Department of Immigration and Border Protection complied with only two and one of the Top Four mandatory strategies, respectively.”
In response, DIBP said its systems had become more complex since its inception in 2015, and that it is only two years into an IT investment program.
“In comparing DIBP with the agencies, subjected to this audit is important to recognise the relevant position of each agency on the ICT investment curve,” DIBP said. “This in turn has a direct implication and relationship to the maturity of their respective cybersecurity initiatives.”
The ANAO, though, seemed to disregard the excuses of DIBP.
“These changes are common in the public sector landscape, and entities must maintain business continuity including ensuring the integrity and availability of their systems, data, and information,” it said.
In 2015, Immigration revamped its information management practices after it had sent personal details of G20 world leaders to Asian Cup organisers.
A year prior, the Office of the Australian Information Commissioner found DIBP was in violation of the Privacy Act by unlawfully disclosing personal information when it published the details of approximately 9,250 asylum seekers in 2014.
The source of the privacy breach was determined to be the copying and pasting of a chart from Microsoft Excel into Microsoft Word by a DIBP staff member, which resulted in the underlying data to render the chart being embedded in the Word document.
Responding this week to Senate Estimates questions, the department said the breach had cost almost AU$1 million in legal fees.
“According to departmental records, as at 23 May 2017, the department and Comcover had spent approximately AU$955,330 (GST exclusive) in external legal services expenditure to manage legal matters where it is clear those matters arose because of the 2014 data breach,” it said [PDF].
“Given the varying scope and nature of the legal matters that remain on foot, including any appeal right the parties involved will have available to them at the conclusion of those matters, the department is unable to provide an estimate of the costs that may be incurred in finalising all matters related to the 2014 data breach.”