Breach Exposes Data of 774,000 Australian Migrants

Personal details of 774,000 individuals in Australia's migration system have been exposed in a data breach.

The data was made publicly available via the Home Affairs Department's SkillsSelect platform, which invites skilled workers and entrepreneurs to express interest in moving Down Under. 

Partial names, ADUserIDs, and the outcome of applications made by people wishing to migrate to Australia were discovered online by Guardian Australia via a publicly available app hosted on the employment department's domain. Other information uncovered by the newspaper included the age, country of birth, and marital status of applicants.

In total, the breach revealed 774,326 unique user IDs and 189,426 completed expressions of interest, dating back to 2014. By applying filters, the Guardian was able to narrow down an expression of interest to a single entry, then discover other details relating to that particular applicant.

News of the breach comes as the Australian government is asking people to voluntarily adopt a new contact-tracing app, CovidSafe, to slow the spread of the novel coronavirus. A cybersecurity failure in one government app could make Australians reticent to input their personal information into another.

Australian Privacy Foundation board member Monique Mann told Guardian Australia the breach was “very serious . . . especially at a time where the Australian government is expecting trust.”

Mann described the Australian government as having a "consistently poor track record that shows that we cannot trust them with our personal information,” and went on to call the unnecessary exposure of migrant data "absolutely ludicrous."

Privacy academic, cryptographer, and chief executive of Thinking Cybersecurity Vanessa Teague said she thought that the public availability of ADUserIDs on the SkillsSelect platform “looks like a stuff-up.”

When Guardian Australia contacted the Home Affairs Department and the Employment Department in relation to the data breach, the SkillsSelect platform was taken offline and is now "currently undergoing maintenance."

Mann expressed concern that the data breach had not been identified by the Home Affairs Department. 

She said: “What processes of auditing and oversight are occurring within department of home affairs? This department is responsible for policing, border protection and intelligence. You would expect a greater level of information security than this.”

What’s Hot on Infosecurity Magazine?