This year three of the five own-motion investigation reports published by the Information Commissioner (Commissioner) involved the investigation into large scale data breaches by Telstra Corporation Limited (Telstra), Multicard Pty Ltd (Multicard), Cupid Media Pty Ltd (Cupid), and the Department of Immigration and Border Protection (DIBP).
These reports highlight the Commissioner's focus on investigating large scale data breaches, and demonstrate lessons that can be learned to avoid such data breaches in the future.
Telstra data breach
In the Telstra own-motion investigation, the Commissioner investigated Telstra's data breach, which resulted in the personal information of approximately 15,775 Telstra customers being publicly available online in mid 2012.
Unknown to Telstra, this personal information remained accessible between February 2012 and May 2013 as a result of one of Telstra's contractors which, in deploying an IT solution, inadvertently turned off the access controls in relation to the personal information.
Multicard data breach
In the Multicard own-motion investigation, the Commissioner investigated Multicard's incorrectly configured website, which allowed directory browsing, resulting in a large volume of personal information about Maritime Security Identity Card applicants becoming publicly accessible online. The accessible information included 8,865 first and last names, 8,791 dates of birth, 7,342 addresses, and 28,826 photographs in relation to Maritime Security Identity Card applicants.
Cupid data breach
Cupid's data breach involved the unauthorised disclosure of personal information of its customers through a hacking attack on around 18 January 2013, which exploited a vulnerability within the application server used by Cupid's (called 'ColdFusion'). Cupid identified the ColdFusion vulnerability in its web server on 23 January 2013, and on that day installed a patch, which the Commissioner was satisfied 'stopped the attackers from obtaining further data'. However, the Commissioner noted that although the patch for the ColdFusion vulnerability was released on 16 January 2013, because it was not applied, personal information of approximately 254,000 Australian users was compromised in the data breach.
The Australian Government Department of Immigration data breach
The Australian Government Department of Immigration and Border Protection data breach occurred when statistical data was mistakenly embedded in a Word document that was published on DIBP's website. The data breach was discovered by the Guardian Australia and removed within an hour of being notified. Following the breach, DIBP commissioned KPMG to investigate and report on the data breach.
The Commissioner's findings
Failure to take reasonable security steps
The key issue investigated by the Commissioner was whether each of Telstra, Multicard, Cupid and DIBP took reasonable steps to protect the security of the personal information they held from misuse and loss and from unauthorised access, modification or disclosure. The relevant obligations were contained in National Privacy Principle (NPP) 4.1 and Information Privacy Principle (IPP) 4(a), and are now largely replicated in Australian Privacy Principle (APP) 11.1.
Each of the Telstra, Multicard and DIBP data breaches resulted from an unintentional errors which resulted in the disclosure of personal information, and in each case the Commissioner found that they had not taken reasonable steps to protect the information. In relation to Telstra, the Commissioner found that Telstra had failed to take steps reasonable steps to implement security procedures, such as vulnerability testing and monitoring, despite its awareness of the heightened risk environment. The Commissioner found that Multicard had failed to implement a number of basic website security measures, such as restricting access to the uploads folder to authorised and authenticated users and disabling directory browsing.
Cupid's data breach resulted from a hacking attack. The Commissioner found that Cupid had discharged its duty to take reasonable testing and monitoring steps by conducting daily vulnerability scans and implementing an intrusion prevention and detection firewall. However, the Commissioner found that Cupid's storage of passwords in plain text to be a failure to take reasonable steps to protect information, and therefore found that Cupid had also breached NPP 4.1 by failing to take reasonable steps to protect the security of its personal information.
In each of the Telstra, Multicard and DIBP own-motion investigations, the Commissioner also found that entity had, by unintentionally making the personal information it held publicly available, 'disclosed' the information. As none of the disclosures were in accordance with NPP 2/IPP 11 (now largely replicated in APP 6), the Commissioner found that each entity had unlawful disclosure the information.
In contrast, because Cupid's customer data was accessed as a result of a hacking attack which penetrated Cupid's security features. The Commissioner emphasised that the concept of 'disclosure' 'requires the organisation to release the information by its own action, intentionally or otherwise'. Accordingly, the Commissioner found that Cupid had not 'disclosed' personal information in contravention of NPP 2. This is consistent with the current guidance provided by the Commissioner which states that:
An APP entity is not taken to have disclosed personal information where a third party intentionally exploits the entity’s security measures and gains unauthorised access to the information.
Failure to de-identify or destroy information
In the Cupid and Telstra own-motion investigations, the Commissioner also found that Telstra and Cupid had breached NPP 4.2 (now largely replicated in APP 11.2), because each of them had failed to take reasonable steps to destroy or permanently de-identify the personal information which it no longer needed.
Recommendation of the Commissioner
The Commissioner ultimately decided to close each of these investigations, on the basis that each of Telstra, Multicard, Cupid and DIBP had taken action to remedy their breaches, improve their information security and address many of the Commissioner's recommendations. The Commissioner also requested that Telstra, Multicard and DIBP each provide a copy of an independent auditor's report to the Commissioner on the implementation of their planned remediation steps.