Secret list exposes Aussie passport holders' data risk

[Flashback]

Secret list exposes Aussie passport holders' data risk - Security - Technology - News - iTnews.com.au

[h=2]Personal files of 109 Aussies at high risk of inappropriate access.[/h]
The Australian Passport Office keeps a secretive list of 109 Australians whose personal information is considered to be at risk of inappropriate access by the office's staff.
Existence of the list was revealed in an audit of the biometric features of Australia's ePassport system by the Australian National Audit Office.
According to the audit, the Passport Office identifies staff that access the personal records of individuals on the list and "assesses whether that access was appropriate".

 

[Mal]

Super beat-up / non-story from NoNews with that one.

Every Government department that stores private data (that I am aware of) has a "hot list" of customers who are of a sensitive nature. Any data relating to them is restricted. Can contain people like high profile journalists, court officials, ministers, prime ministers/premiers, celebrities etc etc.

Passports Aus aren't doing anything different.

 

[MrHyde]

Mal is 100% right. I recently started a project at a Government department and on the first day of induction we were told that there is a hot list and every single access to any data related to people on the hot list is logged and auditted for appropriateness. Inappropriate access can lead to immediate dismissal. This is how they protect people's data from nosey people.

 

[Deleted member]

Mal is 100% right. I recently started a project at a Government department and on the first day of induction we were told that there is a hot list and every single access to any data related to people on the hot list is logged and auditted for appropriateness. Inappropriate access can lead to immediate dismissal. This is how they protect people's data from nosey people.

That doesn't actually protect their data from nosey people It just allows for the offender to be dismissed.

 

[MrHyde]

That doesn't actually protect their data from nosey people It just allows for the offender to be dismissed.

It puts a bit of fear into people that will hopefully think twice before accessing the data. After that, if they do, the dismissal will hopefully limit the damage done. At the end of the day, people will still try and will succeed in gaining access. The only true way to prevent access is to not hold the data in the first place, but then the department won't be able to fulfill its functions.

 

[Mal]

That doesn't actually protect their data from nosey people It just allows for the offender to be dismissed.

Depends on the IT systems involved. For example, I know of a bank where attempted access to the details of certain customers requires a password. The systems are in place...
If you chat to anyone who has worked at the ATO, you will know of their "hot list". I wish I worked there, just to get on their "don't touch" list ....

 

[eastwest101]

Fair enough comments from people whom are in project development work for government agencies/depts - but a few uncomfortable questions - whom decides who is on the "hot list" and who isn't? And shouldn't one level of protection of privacy be a reasonable expectation in our democratic society? After all - we are all allowed one vote, one set of laws that apply to us, so what about a common standard of protecting our privacy.

 

[Deleted member]

My point is not that security is good , bad or indifferent. my point is " some " people will access it regardless of the penalty. It's not a lot different from someone deciding to fly to Bali with a stash of drugs, we all know it can get you executed. But in spite of that , every year some fool tries and is caught.

 

[docjames]

And shouldn't one level of protection of privacy be a reasonable expectation in our democratic society? After all - we are all allowed one vote, one set of laws that apply to us, so what about a common standard of protecting our privacy.

You make an interesting point.

 

[flyingfan]

Fair enough comments from people whom are in project development work for government agencies/depts - but a few uncomfortable questions - whom decides who is on the "hot list" and who isn't? And shouldn't one level of protection of privacy be a reasonable expectation in our democratic society? After all - we are all allowed one vote, one set of laws that apply to us, so what about a common standard of protecting our privacy.

That is the ideal of course but the reality is that some people will attract more attention than average Joes and information on them is more likely to be sought by unscrupulous staff.

Government bodies would attempt to balance the accessibility of their systems for authorised purposes versus protecting it against unauthorised access. There are checks and audits in place, and they do catch wrongdoing even when it doesn't involve celebrities, i.e. a staff member trying to get "dirt" on a former, non-celebrity partner.

 

[simongr]

Blackmail simongr based on his private info and maybe get $1000 cash.

Blackmail Julia Gillard and get access to defence codes.

Equally find out simongr is headed to akl and enjoying the f lounge.

Find out Gillard is heading to Afghanistan and advise the Taliban...

 

[eastwest101]

That is the ideal of course but the reality is that some people will attract more attention than average Joes and information on them is more likely to be sought by unscrupulous staff.

I take your point there - obviously depends on the data held. Most would be more interested in Lindsay Lohan's tax information than mine! But from my own perspective I would want just as much protection of say my banking and credit history as a celebrity. After all - my identity and my modest amount of money is still a tempting target for people wanting to commit fraud or identity theft, especially if they are living in Nigeria on $2 a day. Or say collect thousands of peoples information (such as name, dob, bank account numbers and TFN) and sell it en-masse to mass production bulk fraudsters?

Government bodies would attempt to balance the accessibility of their systems for authorised purposes versus protecting it against unauthorised access. There are checks and audits in place, and they do catch wrongdoing even when it doesn't involve celebrities, i.e. a staff member trying to get "dirt" on a former, non-celebrity partner.

Agree that security and IT protocols are important here, but there are several notable examples of public servants caught stealing client/private information from say Centrelink or the police computer systems about ex-partners etc. Using the tip of the iceberg theory, of the reported few, how many have occurred undetected?

 

[simongr]

I think you will find that these people are getting an extra layer of security - their information is more valuable than yours so should be protected. Often that is within organisations rather than protection from outside. To do their job people need access to information so you can't restrict everyone. However if you can identify higher risk data and protect that MORE then that is a good thing.

For example you should have controls in place to prevent the mass download of data. However preventing people from seeing data that they need to see restricts their ability to do their job.

 

[v8Statesman]

Blackmail simongr based on his private info and maybe get $1000 cash.

Blackmail Julia Gillard and get access to defence codes.

Equally find out simongr is headed to akl and enjoying the f lounge.

Find out Gillard is heading to Afghanistan and advise the Taliban...

The Taliban would respond with "Julia who?"


Sent from my iPad using Australian Frequent Flyer app

 

[Deleted member]

Julia would respond with.
" There will be NO defence codes in any Government I lead"

 

[Mal]

Internal audit over sensitive data access can take many forms. As I indicated above, many organisations (not just Govt) have "hot lists" of data that needs special permissions / is extensively tracked when accessed. But, that's just special attention to certain data.
In the background, there is often (but not always) other means of detecting incorrect access. For example, role based permissions may allow you to access certain data - but you may be required to tie this access back to another reference (eg a case number you're working on).
Trending may occur where "heavy accesses" of data trigger audits, or accesses to data not during your usual hours of access.

Both Govt and private industries have data access issues. Don't fall into the trap of thinking the Govt is the only organisation that keeps private data on you ... Consider your bank, your insurance providers, your doctor and other medical professionals, even Qantas holds significant personal information. Hopefully these other organisations hold data security/privacy as high a priority as the Govt organisations. (But IMHO - not likely based on my involvement in the IT industry).

 

[eastwest101]

I think you will find that these people are getting an extra layer of security - their information is more valuable than yours so should be protected. Often that is within organisations rather than protection from outside.

I accept all your other points about data security, but by putting in an extra layer of security you are just really making a smaller but more obvious target. My main concern was that if politicians of members of the courts receive an extra layer of security about their personal info that the average person on the street does not get, this leads to conclusions about "one law for them and another law for us" situations that make the public very cynical of public institutuioins. If these people want to make laws that affect us then they should be prepared to live with the same laws and rights that we all have to live by.

You only have to look at the recent Thompson allegations (whether true or not) and the broader FWA and HSU corruption to see how emotive things can become once the perception is out there in the public that some people in some institutions are more difficult to investigate than others.

I think that's why it may have appeared in the press in the first place...

 

[simongr]

I accept all your other points about data security, but by putting in an extra layer of security you are just really making a smaller but more obvious target. My main concern was that if politicians of members of the courts receive an extra layer of security about their personal info that the average person on the street does not get, this leads to conclusions about "one law for them and another law for us" situations that make the public very cynical of public institutuioins. If these people want to make laws that affect us then they should be prepared to live with the same laws and rights that we all have to live by.

It is often not about protecting the people but protecting the organisation. A bank wouldn't protect Nicole Kidman's banking details to stop her being the victim of an attack but to stop themselves getting sued when someone used her information and the consequent brand impact that would have.

 

[Justchecking]

I'd be a lot more concerned if anyone in the passport office could access anyone's data. Lets face it, it's not as if the govt has never hired an untrustworthy soul before. And I'm a bit miffed by the thought that I'm not likely to be on that list. :shock:

 

[Mal]

I'd be a lot more concerned if anyone in the passport office could access anyone's data. Lets face it, it's not as if the govt has never hired an untrustworthy soul before. And I'm a bit miffed by the thought that I'm not likely to be on that list. :shock:

Huh? Of course there are staff in the passport office who can access your details. I don't know their controls but assume that cleaners can't for example.

Do you hold your bank to the same level? Any hotel you've stayed in? Airlines you've flown? Most of them have the same info on file...

Sent from my GT-I9100 using AustFreqFly