Privacy advocates are calling into question the information security practices exercised by the Department of Home Affairs after it was revealed that the personal details of as many as 774,000 migrants were exposed on its SkillsSelect platform.
Details on the data breach are sparse, however, according to a report from The Guardian, the data breach hit the government’s SkillsSelect platform that was set up for migrants, which included names and the outcomes of some applications.
The SkillsSelect platform was hosted by the employment department, and was established to take applications from skilled workers to express their interest in moving to Australia to work. Those expressions of interest were stored for two years, and accessible via a publicly available application noted on the home affairs website.
The Guardian writes that “with just two clicks, users of the app can view a range of fields including the applicants’ “ADUserID”, a unique identifier composed of partial name information and numbers.”
“What processes of auditing and oversight are occurring within the department of home affairs? This department is responsible for policing, border protection and intelligence. You would expect a greater level of information security than this.” - Monique Mann
“Searches by Guardian Australia revealed the public database contained 774,326 unique ADUserIDs and 189,426 completed expressions of interest, searchable as far back as 2014.”
“Other information available includes the applicants’ birth country, age, qualifications, marital status and the outcome of the applications… by applying multiple filters, a user could narrow down an expression of interest to a single entry, revealing the other details of the applicant,” writes Paul Karp.
The Guardian contacted the Home Affairs Department as well as the employment department, who said the platform has been taken offline and is “currently undergoing maintenance.”
News of the database breach comes at a particularly troubling time for the government as it attempts to posture itself as trustworthy with sensitive information amid the rollout of the controversial COVIDSafe application.
Monique Mann, board member of the Australian Privacy Foundation told The Guardian that the data breach was “very serious,” adding that it comes “at a time where the Australian government is expecting trust,” in reference to the launch of the COVIDSafe app that the government hopes will be downloaded by 40% of the population.
Mann pointed to the federal government’s “consistently poor track record that shows that we cannot trust them with our personal information,” mentioning the My Health Record “blunder” as well as the Robodebt and 2016 census scandals that plagued the government.
In reference to the SkillsSelect dataset, Mann said that “if you can use this to pin down a specific person that you’re thinking about and from that understand what they had entered into certain categories, then that is a way to extract information you might not already have known.”
“What processes of auditing and oversight are occurring within the department of home affairs? This department is responsible for policing, border protection and intelligence. You would expect a greater level of information security than this,” she said.
The report also quotes Anna Johnston, principal of Salinger Privacy who said the Home Affairs department is obliged to inform those implicated in the data breach, as well as informing the privacy commissioner of any breach that would “likely result in serious harm.”
“A failure to notify an eligible data breach can be grounds for a person to make a complaint or for the [office of the information commissioner] to issue a penalty,” she said.
The employment department has deflected criticism, adding that it just “supports the department of home affairs by delivering the IT solutions for this program.”
“In line with the Australian government public data policy statement, [the departments] collaborated in early 2020 to make available a report which informs the public about the take-up and general characteristics of applications received through the SkillsSelect program.”
“This report does not display any personal information and focuses primarily on the number of applications received by each occupation code and geographic region.”