Skip to main contentSkip to navigationSkip to navigation
US president Barack Obama at the G20 in Brisbane
The Australian immigration department accidentally disclosed the personal details of leaders attending the G20 summit in Brisbane last November, including those of US president Barack Obama. Photograph: Pablo Martinez Monsivais/AP
The Australian immigration department accidentally disclosed the personal details of leaders attending the G20 summit in Brisbane last November, including those of US president Barack Obama. Photograph: Pablo Martinez Monsivais/AP

Visa applicant's details emailed to wrong person in near-identical case to G20 leak

This article is more than 8 years old

Data breach almost identical to G20 world leaders’ personal details leak, but this time Australian immigration department notified and apologised to those affected

Read the new documents released under freedom of information laws

Australia’s immigration department accidentally sent a visa applicant’s details to the wrong person more than two years ago, in almost the same way it exposed personal details of world leaders attending last year’s G20 summit in Brisbane. But in the first case it chose to notify the affected parties and made an official apology.

On Monday the Guardian reported the department accidentally disclosed the personal details of leaders, including US president Barack Obama, Russian president Vladimir Putin and German chancellor Angela Merkel, when an official accidentally emailed them to a member of the organising committee of the Asian Cup football tournament. The department has since enacted a new email policy.

New documents obtained under freedom of information laws show an almost identical breach happened in December 2012, when an email containing a visa applicant’s personal details was accidentally sent to the wrong person.

The department wrote to the Privacy Commissioner that “the error occurred when the FOI case officer typed [Redacted] email address in the recipient’s address space”.

The information included visa details, passport information, records of academic transcripts, marriage certificates and name and date of birth.

The department chose to notify the individual affected, unlike in the case of the world leaders.

“Contacted [Redacted] over the telephone the same day to advise him of the privacy breach and the corrective action taken and to offer the department’s apology. [Redacted] accepted the apology and said he was fine with it,” the immigration department wrote to the commissioner’s office.

“The case officer was counselled about the need to ensure that correct procedures are followed and the correct email addresses used in communications with clients at all times. The same message was reinforced with other staff in an all-staff message from the manager later that day.”

It is unknown what happened to the stray email, and the department wrote that the recipient had not responded to its requests to delete the material.

Documents obtained under freedom of information laws show the department has reported five other serious data breaches to the Office of the Australian Information Commissioner since 2012.

The immigration department said a comprehensive review of its data handling practices was under way to ensure personal details were not “inadvertently or deliberately spilled externally”.

A spokeswoman for the department said it took its obligations under the Privacy Act seriously.

“The department thoroughly investigates privacy breaches as soon as they are identified. All matters are referred to the Privacy Commissioner and, if appropriate, the Australian federal police.

The department declined to explain why the two breaches were treated differently.

The other previously unreported breaches included:

  • An immigration employee who resigned and may have removed personal details of clients. The referral in March 2013 said that after police executed search warrants they found “files and other papers and material concerning clients who had applied for visas and their sponsors”. The officer proposed to notify the individuals of the breach when the facts became clearer.
  • A payroll officer who lost a USB stick containing staff banking and account information in May 2014. The department recommended the affected parties not be notified of the breach on the basis that the risk was considered low. The department believed that notifying the parties “would alert the public as to the information contained on the device, which potentially coupled with other personally identifiable information ... would increase the risk of identity theft”.
  • Papers and documents containing other people’s personal details were found in the accommodation of a former immigration employee on Christmas Island in October 2014. The referral letter said the officer had attempted to return to their accommodation shortly before leaving Christmas Island, and that it was unclear what the motivation was.
  • An email that was sent to the information commissioner relating to Save the Children, which referred to lost hard drives, a lost USB and an incident of unauthorised data distribution. It followed reports on SBS about the removal of some of this information.

The shadow immigration minister Richard Marles called the world leaders’ breach a “huge embarrassment” for Australia.

The White House said it was making inquiries about the breach and would take “all appropriate steps” to ensure the security of the US president’s personal information.

Comments (…)

Sign in or create your Guardian account to join the discussion

Most viewed

Most viewed