‘Major systemic failure’ on privacy — again — by Federal Court of Australia

Court appears to be ignoring 2017 mandate for regular privacy reviews and its own standards.

A failure to comply with minimum privacy requirements has been exposed as the Federal Court of Australia (FCA) scrambles to recover from a “major systemic failure” in which the previously protected identities of hundreds of high-risk asylum seekers were compromised.

An investigation by the Australian Broadcasting Corporation (ABC) found that the publicly available Commonwealth Courts database had published the names of hundreds of people — who are supposed to be referenced only by alphanumeric pseudonyms — who had applied to the federal government for protection under asylum-seeker visa provisions.

FCA admits ‘major systemic failure’ — again

An FCA statement to the ABC said an audit had uncovered the names of 400 asylum seekers, momentarily suspending database access and admitting that the oversight had been a “major systemic failure” even as the affected records remained visible when the database went back online.

Migration lawyers have been warning the FCA about the publication of their clients’ names for years, the ABC said, but the organisation had done nothing to address individual cases brought to their attention.

This is in direct contravention to the privacy policy published on the FCA’s website, which discusses statutory restrictions that may be applied to the court’s recordkeeping by various legislation. “For example,” the policy reads, “under the Migration Act 1958 the High Court, Federal Court and Federal Circuit Court cannot publish the name of any person who has applied for a protection visa in relation to any proceeding in the court”.

Despite this, ABC investigators were able to retrieve details of cases involving asylum seekers from China, Sri Lanka, Vietnam, Egypt, and several Middle Eastern countries.

It’s not the first time an Australian government body has leaked the names of asylum seekers: In 2014, a breach of immigration systems saw details of 9,258 asylum seekers published online — spurring an investigation and ongoing consideration of compensation by the Office of the Australian Information Commissioner (OAIC).

Protecting court systems from cybersecurity compromise is particularly important given the sensitive information they regularly manage.

One recent United States National Center for State Courts (NCSC) white paper, for example, noted that court data is attractive to cybercriminals for reasons including facilitating criminal activity; supporting ransom demands; manipulation; use as a legal strategy; and shutting down legal action “as response measures are executed”.

All US courts are subject to mandatory security assessments by independent security experts at least once every five years — with “high-priority systems” evaluated every three years.

Federal courts in that country began conducting self-assessments in 2017 — the same year that Australia introduced new privacy guidelines through the Privacy (Australian Government Agencies — Governance) APP Code 2017 (Cth).

The FCA doesn’t appear to have followed its own guidelines on privacy

Despite these requirements, however, the FCA does not appear to have followed those guidelines.

The organisation’s own Privacy Impact Register suggests that the organisation has not conducting a single Privacy Impact Assessment (PIA) to determine its own exposure to a potential data breach.

PIAs must, the organisation’s website says, be conducted “for all high privacy risk projects”. “A project may be a high privacy risk project,” the FCA site explains, “if the Court considers that the project involves any new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals.”

However, the PIA register is currently empty — meaning that no PIAs have been conducted in the more than three years the legislation has been in place. This, despite a recent ramping-up of PIAs by the OAIC, which has encouraged agencies to conduct PIAs as they explore data-driven COVID-19 responses.

The persistence of such a major data breach is ironic given that the breach happened in the same federal courts recently used by the OAIC to prosecute Facebook for privacy violations related to its Cambridge Analytica partnership.

That partnership, privacy commissioner Angelene Falk said, constituted “systemic failures to comply with Australian privacy laws by one of the world’s largest technology companies”.


Copyright © 2020 IDG Communications, Inc.

8 pitfalls that undermine security program success