The immigration department has revealed that over the last five years it has reported 18 data breaches to the Office of the Australian Information Commission.
In an answer to a question on notice from a Senate Estimates hearing earlier this year, the Department of Immigration and Border Protection (DIBP) revealed it reported three data breaches to the OAIC in the period 2016-May 2017.
In 2015-16 it reported the highest number of breaches — seven — followed by 2014-15, when it reported five breaches to the OAIC.
The 2014 tally included a mammoth leak of asylum seeker details uncovered by activist Asher Wolf. A file posted on a publicly accessible website contained the details of 9250 people, including every asylum seeker imprisoned in on-shore detention centres and on Christmas Island, as well as those in community detention.
The breach took place when statistical data was mistakenly embedded in a Word document that was published on the department’s website.
A DIBP-commissioned review by KPMG cited unfamiliarity with some Microsoft Word functions and limited awareness of IT security risks as key culprits.
In an answer to another question on notice from Senate Estimates, the department said that as of 23 May this year DIBP and Comcover had spent more than $955,000, excluding GST, on legal services related to the breach.
“Given the varying scope and nature of the legal matters that remain on foot, including any appeal right the parties involved will have available to them at the conclusion of those matters, the Department is unable to provide an estimate of the costs that may be incurred in finalising all matters related to the 2014 data breach,” the department said.
The government has faced legal action by a number asylum seekers in relation to the breach.
“There are a number of pieces of litigation currently alive” in relation to the breach, DIBP general counsel Philippa de Veau told a May estimates hearing
“The Office of the Australian Information Commissioner has received approximately 1744 complaints in relation to it,” De Veau said.
“There are some matters currently where there is judicial review where a delegate has subsequently considered a person's claim in light of what may have happened once that information became known.
“For those there are 34 matters currently in the Federal Circuit Court, six in the Federal Court and one in the High Court. Those matters are ongoing.”
DIBP secretary Michael Pezzullo told the hearing that one of the first decisions he took as secretary in the latter part of 2014 “was to put all of our systems behind the protected firewall”.
“Previously many of our staff were on Internet-facing systems, so we were not too protected,” he said. “That has certainly helped to mitigate the risk of inadvertent, clumsy, accidental disclosure.”