Social services minister Christian Porter has ordered an investigation into a data breach that has affected more than 8,000 Department of Social Services employees for more than a year.
8,500 current and former employees’ personal information have been left open in the breach in the Business Information Services System holding expenses and credit card information between 2004 and 2015, compromising personal data.
The data included employees’ names, user names, credit card information, work phone numbers, work emails, system passwords, Australian government services numbers, public service classifications and organisation units.
“I have requested a full investigation of the issue to determine how the breach occurred,” he said.
“The government takes incidences like this very seriously and the department has worked rapidly to contain the issue.”
Mr Porter’s calls for an investigation came after the Greens blamed outsourcing for the breach in the Business Information Services system.
The system held expenses and credit card information between 2004 and 2015.
Opposition social services spokeswoman Jenny Macklin and cyber security spokeswomen Gai Brodtmann said Labor was “deeply concerned” by the breach because the government was responsible for keeping employee data safe.
“The minister must now outline what is being done to investigate this breach, explain to staff exactly how their data was exposed, for how long and whether it is now safe, and confirm whether his department complies with the mandated cybersecurity standards,” they said.
“It’s the government’s responsibility to ensure the cyber-resilience of government agencies and this responsibility extends to the contractors that government agencies employ.”
Greens social services spokeswoman Rachel Siewert said it demonstrated the risk of outsourcing jobs involving sensitive information.
“The federal government is continually looking to outsource and privatise department and Centrelink services, and here is another example of the associated risks,” she said.
“Handing sensitive material to private contractors who do not have the same checks and balances means that breaches are more likely to occur.”
Business Information Services has had contracts with the department since 2007 under Labor.
Mr Porter said it was “standard practice to approach the market to procure these services.”
Australian Privacy Foundation chairman David Vaile said the department had not acknowledged functions to an external provider “represents an increased risk” and claimed outsourcing was harmful “from a governance perspective” because “you can deny you’re part of the problem, you think you’ve contracted out of responsibility.”
However, a DSS spokesman said the breach was closed within hours after the Australian Signals Directorate notified the department.
The department told staff there was “no evidence” of improper use of the date or of the department’s credit cards.”
A spokeswoman for Business Information Services said some historical information about employees’ work expenses “was vulnerable to possible cyber-breach” as a result of “control vulnerability.
She said the information included “partially anonymous work-related expenses” and included “cost centres, corporate credit cards without CCV and expiry dates, and passwords that were hashed and therefore not visible.”
She said the vulnerability was “secured within four hours” and was “labelled low-risk”.
However, Mr Vaile said the breach affected a large number of employees and their usernames, full names and system passwords were material that could be used for identity theft and fraud if an attacker pretends to be an authorised user.