The Department of Social Services has written to 8,500 current and former employees warning them their personal data held by a contractor has been breached.
In letters sent in early November the department alerted the employees to âa data compromise relating to staff profiles within the departmentâs credit card management system prior to 2016â.
Compromised data includes credit card information, employeesâ names, user names, work phone numbers, work emails, system passwords, Australian government services number, public service classification and organisation unit.
The department failed to warn staff how long the data was exposed for but a DSS spokesman told Guardian Australia that the contractor, Business Information Services, had advised that the data was open from June 2016 until October 2017. The data related to the period 2004 to 2015.
The letters from the DSS chief financial officer, Scott Dilley, blame âthe actions of the departmentâs third-party providerâ and say the compromise âis not a result of any of the departmentâs internal systemsâ.
âThe data has now been secured,â Dilley wrote. He said there was âno evidenceâ of improper use of the data or the departmentâs credit cards.
The DSS spokesman said that on 3 October the Australian Signals Directorate had notified it of the compromise. âThe Australian Cyber Security Centre immediately contacted the external contractor to secure the information and remove the vulnerability within hours of notification,â he said.
Asked to assess the severity of the breach, the Australian Privacy Foundation chairman, David Vaile, said it had affected a âsignificant numberâ of people and noted the department had given staff âno clue how far backâ it extended or how long data was exposed for.
He said that employeesâ usernames, full names and system passwords were âmaterial that could be quite useful for identity theft, fraud and masqueradingâ, where an attacker pretends to be an authorised user.
Vaile said the notification was a âmasterpiece of passive aggressive writingâ that sought to downplay the effect of the breach, when it should be for the benefit of the victims to provide as much information as possible to counter the threat.
It did not contain acknowledgement that outsourcing functions to an external provider ârepresents an increase risk and in this case it has come home to roostâ, he said.
Vaile questioned how extensive the departmentâs inquiries were into whether the data was accessed, adding that little comfort could be taken from the fact departmental credit cards had not been charged because consequences of a data breach can take time to materialise.
A spokeswoman for Business Information Services said that as a result of a âcontrol vulnerabilityâ some historical information about employeesâ work expenses âwas vulnerable to possible cyber breachâ.
âThere is no evidence of a cyber-attack, only that it was possible,â she said.
The spokeswoman said the information included âpartially anonymous work-related expensesâ including âcost centres, corporate credit cards without CCV and expiry dates and passwords that were hashed and therefore not visibleâ.
âThe bulk of credit card information within the data had expired.â
The BIS spokeswoman said the vulnerability was âsecured within four hoursâ, the data is no longer publicly accessible and it had undertaken a security review.
The DSS spokesman said the department âtakes security seriouslyâ.
He said the department has been working with the ACSC and Office of the Australian information commissioner to notify 2,000 current and 6,500 former employees and to work with the external contractor âto ensure effective arrangements are in place, and to support affected staffâ.
The letter also suggested employees may wish to change or strengthen passwords if they used the same password across work and personal accounts.