The personal details of world leaders at the last G20 summit were accidentally disclosed by the Australian immigration department.
An employee of the agency inadvertently sent the passport numbers, visa details and other personal identifiers of all world leaders attending the summit to the organisers of the Asian Cup football tournament, and did not consider it necessary to inform those world leaders of the privacy breach.
Those affected include the leaders of America, Russia, Germany, Chinese, India, Japan, Indonesia and the UK.
The Australian privacy commissioner was contacted by the director of the visa services division of Australia’s Department of Immigration and Border Protection to inform them of the data breach on 7th November 2014 and seek urgent advice.
In an email sent to the commissioner’s office, obtained under Australia’s freedom of information laws, the breach is attributed to an employee who mistakenly emailed a member of the local organising committee of the Asian Cup – held in Australia in January – with the personal information.
“The personal information which has been breached is the name, date of birth, title, position nationality, passport number, visa grant number and visa subclass held relating to 31 international leaders (ie prime ministers, presidents and their equivalents) attending the G20 leaders summit,” the officer wrote.
“The matter was brought to my attention directly by [redacted] immediately after receiving an email from [the recipient] informing them that they had sent the email to the wrong person. The risk remains only to the extent of human error, but there was nothing systemic or institutional about the breach.”
Tony Pepper, CEO of Egress Software Technologies, said: “This is a shocking breach in security that should have been disclosed immediately – however it’s actually a very common mistake. ‘Autofill’ options when entering a recipient’s details create a wide margin for human error when sharing confidential information by email. However, this is no longer an acceptable excuse, particularly when sharing such highly sensitive information.
Sue Trombley, managing director of professional services at Iron Mountain, said: “This breach is another example of human error and underscores the need for employees to be aware that even the simplest of administrative tasks can prove most costly to the organisation in terms of reputation. Routine tasks require additional checks in place when sensitive data is involved. Ultimately, we may need to rely on more advanced tools that would flag this need for extra caution.”