Whether an autofill mishap or a "What in the name of God were you thinking?" move, somebody's shrimp is on the barbie at Australia's immigration department after an officer there emailed President Obama's passport number and other personal information to an organizer at the Asian Cup football tournament. And before you think otherwise: Yeah, it matters.
An Australian freedom of information request recently revealed that the personally identifiable information (PII) of many of the world leaders who attended last year's G20 summit in Brisbane — including President Obama, Russian President Vladimir Putin, German Chancellor Angela Merkel, China's President Xi Jinping, India's Prime Minister Narendra Modi, Japan's Prime Minister Shinzo Abe and UK Prime Minister David Cameron — was accidentally leaked by a government employee. Worse, there was an attempt to sweep this mess under the rug.
The freedom of information request revealed that an immigration official notified Australia's privacy commissioner about the walkabout presidential/prime ministerial PII shortly after the misdirected email was received by its startled recipient.
"The personal information which has been breached," an email notifying the privacy commissioner stated, "is the name, date of birth, title, position nationality, passport number, visa grant number and visa subclass held relating to 31 international leaders (i.e., prime ministers, presidents and their equivalents) attending the G20 leaders summit."
"The cause of the breach was human error. [Redacted] failed to check that the autofill function in Microsoft Outlook had entered the correct person's details into the email 'To' field. This led to the email being sent to the wrong person.
"The matter was brought to my attention directly by [redacted] immediately after receiving an email from [the recipient] informing them that they had sent the email to the wrong person.
"The risk remains only to the extent of human error, but there was nothing systemic or institutional about the breach."
The decision not to inform any of the world leaders was based on the fact that the recipient of the wayward email had deleted it from their computer and then deleted the deleted email from the "deleted items" folder.
The Inevitable Weak Link
Unlike code, with its right/wrong, open/closed approach to data, humans make a lot of mistakes. Sometimes those mistakes have catastrophic results. The Target breach is a good example of this. The retailing icon didn't properly segment data, and someone at a heating and air conditioning company with a Target contract, and unknowing access to far more systems than anyone could have imagined, clicked on a phishing link in a fraudulent email that ultimately allowed hackers to access its point-of-sale systems — in other words, human error. Subsequently, multiple warnings from Target's own security protocols — indicating the presence of malware — were overridden by someone(s), also human error.