Shadow Finance Minister Jane Hume strongly criticised Labor’s response to recent data leaks, accusing the finance minister of being “asleep at the wheel” while taxpayers faced potential million-dollar losses.
The Department of Finance launched an investigation after an accidental email leak to suppliers exposed sensitive contract information and personal details of hundreds of service providers.
The mistaken email, sent recently to 236 suppliers, contained a spreadsheet with confidential tender prices and personal data from up to 400 service providers, echoing a similar Department of Health breach in November last year.
“Instead, we got bland assurances that it wouldn’t. Now we see that she was still asleep at the wheel,” she said.
She expressed concern that Ms. Gallagher’s “lack of interest in her job” could result in lawsuits from affected parties.
“Companies and individuals impacted by this gross incompetence may exercise their rights against the Commonwealth, potentially costing taxpayers millions,” she said.
She urged Ms. Gallagher to clarify how hundreds of businesses had their privacy breached months after the November breach.
In November, a department officer mistakenly uploaded confidential pricing information from hundreds of firms to the wrong section of AusTender, The Australian Financial Review revealed.
The information was then included in a request for quotes from government departments, potentially reaching 22 service providers.
The providers were required to commit to confidentiality and were monitored to ensure they didn’t use the information for a competitive edge.
“Companies impacted [in the latest incident] need more than an apology from the Department, and clearly no assurance that this problem won’t be repeated will suffice,” Ms. Hume said.
Labor: Confidential Information Disclosure ‘Regrettable’
The finance department said it discovered the mishandled email on Feb. 19, five days after it happened.“Please note that no third-party confidential information would have been accessed or viewed by a person who simply opened the email or its attachments.”
Finance called all 236 suppliers to request the deletion of the email and its attachments, followed by a subsequent email asking for written confirmation of the deletion.
Additionally, it informed all suppliers on the Management Advisory Services Panel—the federal government’s central hub for buying management, policy, technical, and legal advice—about the issue and the actions taken so far.
While Ms. Gallagher is attending a G20 meeting in Brazil, Finance Department Secretary Jenny Wilkinson announced that former Commonwealth Ombudsman Michael Manthorpe would lead a review into the leak.
“The review will consider the circumstances that led to the unauthorised disclosure of the information, as well as the department’s systems and processes,” Finance said.
Additionally, it apologised for the “oversight.”
“The potential disclosure of this third-party confidential information is regrettable.”
Health and Finance Sectors Lead Breach Reports in 2023
The Office of the Australian Information Commissioner (OAIC) revealed the health and finance sectors reported the highest number of breaches in the six months leading to December 2023, with 104 and 49 incidents, respectively.About 12 breaches in the government were malicious or criminal, while 26 resulted from human error.
Of the 26 human error breaches, 13 involved sending personal information to the wrong person, 11 resulted from unauthorised disclosure of personal information, and two concerned the loss of paperwork or a data storage device.
Additionally, the government accounted for the largest proportion (55 percent) of notifications made to the OAIC more than 30 days after the agency became aware of the incident.
Australian Information Commissioner Angelene Falk said the scheme—which mandates any organisation or agency under the Privacy Act 1988 to inform affected people and the OAIC about data breaches likely to cause serious harm to their personal information—is now well established, and organisations are expected to comply.
