SYDNEY: In a major data breach caused by an email autofill error, the personal details of 31 of the world's leading political figures including Indias Prime Minister Narendra Modi, were accidentally emailed to organisers of a regional football tournament by the Australian immigration department last November. The breach related to world leaders attending the G20 Leaders' Summit in Brisbane and included US President Barack Obama, UK Prime Minister David Cameron, Russian President Vladimir Putin, German Chancellor Angela Merkel and Chinese President Xi Jinping.
Details such as the passport numbers, visa information and other personal data of some of the most powerful people on the planet were inadvertently passed on by a staff member at Australia's Department of Immigration. It has now emerged that the world leaders were not told about the data breach at the time of the incident and the error was reported less than 10 minutes after it occurred.
The Prime Minister's Office in India chose not to react, but a senior government official said: We have seen the report and will take necessary action at our end on the matter.
According to reports the Department of Immigration advised Australia's Privacy Commissioner of the privacy breach on November 7, 2014, seeking "urgent advice... given the sensitivities involved".
Despite the profile of the individuals involved and the extent of information leaked, the breach came down to "one email and one email address.
An email sent to the Australian privacy commissioner from the immigration department, obtained by the Guardian via Freedom of Information request, said: "The personal information which has been breached is the name, date of birth, title, position nationality, passport number, visa grant number and visa subclass held relating to 31 international leaders [ie, prime ministers, presidents and their equivalents] attending the G20 leaders summit.
"The cause of the breach was human error. [Redacted] failed to check that the autofill function in Microsoft Outlook had entered the correct person's details into the email 'To' field. This led to the email being sent to the wrong person.
"The matter was brought to my attention directly by [redacted] immediately after receiving an email from [the recipient] informing them that they had sent the email to the wrong person.
"The risk remains only to the extent of human error, but there was nothing systemic or institutional about the breach."
The immigration officer who sent he email said it is "unlikely" the information is still in public domain, with the Asian Cup local organising committee adding they do not believe the email is "accessible, recoverable or stored anywhere else in their systems".
The officer advised it would be best if the leaders were not informed about the breach due to its low-level risk.
"Given that the risks of the breach are considered very low and the actions that have been taken to limit the further distribution of the email, I do not consider it necessary to notify the clients of the breach," the officer added.
It is unclear whether the world leaders have now been informed since the leak on 7 November 2014. The office of the Australian immigration minister, Peter Dutton, is reportedly yet to respond to the reports.
According to the Department report, the unintended recipient of the email immediately advised that the staff member had "sent the email to the wrong person", that it had been deleted and had not been forwarded or copied to a backup system.
The revelations come just days after Australia passed major new laws requiring every Australian ISP and telecommunications provider to store the phone and Internet metadata of their customers for a compulsory period of two years.
With mandatory data retention already facing opposition from legal experts, media groups, civil liberties advocates and the Australian public, this latest breach has the potential to raise further privacy concerns and questions about the security of data storage in Australia.
Currently, Australia does not have laws in place requiring the mandatory disclosure of data breaches, whether they are caused by government organisations or private companies. While the new Data Retention Bill did not originally include any changes to this status quo, amendments brought in by the Federal Government (after opposition push back) will now see data breach laws introduced within the year.
Australia hosted the Asian Cup- Asian Football Confederation 2015 tournament in January. The Australian immigration spokeswoman said the department had reviewed and strengthened its email protocols to limit and contain future breaches. --EJ
Be Part of Quality Journalism
Quality journalism takes a lot of time, money and hard work to produce and despite all the hardships we still do it. Our reporters and editors are working overtime in Kashmir and beyond to cover what you care about, break big stories, and expose injustices that can change lives. Today more people are reading Kashmir Observer than ever, but only a handful are paying while advertising revenues are falling fast.