Sensitive personal information leaked by recruiter
A Melbourne recruiting company leaked sensitive personal information on Amazon Web Services Simple Storage Service. The online storage was left open for anyone to access for over a month. A Melbourne-based security researcher found the open storage instance on October 24. It was found to contain images of passports, driver’s licenses, tax forms, and employment contracts. While it is not known how long the online storage was left exposed, it was indexed by one or more search engines on September 14 this year. One search engine found 12,709 files in the online storage, these included passports, driver’s licenses, tax forms and thousands of employment contracts.
The breach will be reported to the authorities and the workers affected by the data breach. Let this be a timely reminder about the dangers of cloud storage and need for implementing strong security measures. This company did save a few hundred dollars when they rolled out the cloud storage themselves but now face hundreds of thousands of dollars in fines for breaches of the privacy act.
City of Port Phillip leaks personal information in data.gov.au blunder
An unknown number of residents who reported graffiti to a Melbourne-based council have had their personal information inadvertently published on the federal government’s open data portal. The City of Port Phillip council revealed the data breach on Wednesday. Names, phone numbers and email addresses were disclosed in its graffiti management data on data.gov.au. Property addresses “used to identify the location of the graffiti” were also accidently release “in some instances”, which the council said “may link the person reporting the graffiti to that address”.
“Council became aware of the breach on 5 October 2020 and in response conducted an internal investigation,” the council said. “It was determined that the data breach started in March 2020. “The data was immediately suspended from the data.gov.au website on 5 October 2020, to prevent any further views/downloads. “Council has tried to directly contact any persons affected by this breach via email.”
“As the data was open to the public, Council is not able to confirm who has accessed the data,” it added. As a result of the accidental disclosure, the council said it had updated the process for publishing open data, and now included a “peer review and sign-off prior to publishing”. It has also updated “automated generation of data”, so to include only “information that relates to the location of graffiti (street number, street name, suburb, postcode and date submitted)”.
“Council sincerely apologises for the disclosure of personal information and for any distress and inconvenience this may cause,” it said. “Council regards the protection of personal information to be of great importance and makes every effort to safeguard personal information under its control. “Council assures that this breach is being appropriately addressed by the organisation. All efforts will be undertaken to ensure that future breaches of this nature do not occur.