Software dev accidentally leaks Australian govt documents Information Age ACS
p
I agree to receive Information Age
pp
I declare that I have read understood and agree to the
ACS Privacy Policy
and consent to my personal information being collected held and processed for the purposes outlined in that policy
ppThanks for signing upppSorry there was an error with your requestpp
By Tom Williams on Nov 05 2025 0230 PM
pp
Print article
ppAn external software developer engaged by an Australian government agency accidentally made a collection of private documents available on the public internet earlier this year according to the nations Privacy Commissioner Carly KindppThe commissioner revealed the data breach on Tuesday and confirmed the incident was reported to the Office of the Australian Information Commissioner OAIC in the period between January and June 2025ppThe breach was classified as a Notifiable Data Breach due to its potential to cause serious harm to AustraliansppA thirdparty software developer had been engaged to work on the federal government agencys website said Kind who did not state which agency or which external provider were involvedppThe software developer ran a script on the website without authorisation from the agency which caused documents designated as private to become publicly available online and on search engines Kind wrote in a blog postppThis resulted in two separate occasions of unauthorised disclosure where documents submitted via the agencys website became publicly available onlineppThe agency in question immediately deleted all documents submitted via its website removed the documents from public view on search engines reset the file types on its website back to private and notified affected individuals after becoming aware of the breach Kind addedppThe agency allegedly advised OAIC that it already had systems in place which informed thirdparty providers that no actions were to be taken without written permission from the agencyppIt also allegedly told the regulator it would review its personal information processes for thirdparty providers in light of the data breach incidentppThe outsourcing of work to third parties has been a factor in an increasing number of Notifiable Data Breaches Kind saidppIt is important for organisations to consider the risks of outsourcing personal information handling at the earliest stage of procurementppThe case involving a thirdparty software developer and a government agency served as a reminder that organisations were responsible for the actions of external providers when personal information handling was outsourced Kind addedppOrganisations that implement strong supplier risk management frameworks together with more robust security measures can substantially minimise the impact of a data breach in the supply chain she saidpp
Privacy Commissioner Carly Kind says an increasing number of data breaches are linked to thirdparty outsourcing Image OAIC SuppliedppAustralian organisations should work with suppliers who displayed robust security controls and appropriate personal information handling measures Kind saidppThe commissioner also recommended having oversight of thirdparty providers by carrying out cybersecurity assessments and audits as well as checking their compliance with relevant security standards contractual requirements and legal obligationsppPrevious data breaches partly attributed to the outsourcing of work have included Qantas whose thirdparty call centre allowed cybercriminals access to customer information and Brisbane telemarketer Pareto Phone which was used by Australian charities and suffered a data breach in 2023ppOAIC had been notified of 532 data breaches in the January to June 2025 reporting period it announced on TuesdayppThis was a 10 per cent decrease on the previous six months when the agency saw Notifiable Data Breaches hit a record high in the second half of 2024ppKind suggested the slight drop could be due to an observed trend of fewer data breaches being reported in the second half of each calendar yearppAustralian government agencies reported 13 per cent of breaches in the latest period behind the finance sector 14 per cent and the health sector 18 per centppThe main source of data breaches reported between January and June was malicious or criminal attacks which accounted for 59 per cent of reportsppHuman error was attributed to 37 per cent of reported breaches in the period a rise from 29 per cent in the previous period while system faults accounted for only three per cent of incidentsppThe average number of people affected by breaches caused by cybersecurity incidents was just over 10000 in the latest reporting period which Kind said served as a reminder that cyber risk is increasingly prevalent and sophisticatedppOAICs latest statistics arrived as it also launched a public Notifiable Data Breach statistics dashboard which it said would be updated with its newest data every six monthsppOur goal for the new Notifiable Data Breaches dashboard is to help reporting entities learn from the experiences of others those organisations and agencies who have had to notify us of a data breach Kind saidppWe hope the tool is used to improve their own responses and reporting if a data breach occursppKnow more about this data breach Contact Senior Journalist Tom Williams via secure email at email protectedppTom Williams is a senior journalist at Information Age with key interests in consumer technology artificial intelligence quantum computing cybersecurity and telecommunications He was previously a digital journalist at ABC News where he covered technology and breaking newsppYou can follow Tom on Bluesky LinkedIn or Threads contact him at email protected and send tipoffs via secure email to email protectedp
I agree to receive Information Age
pp
I declare that I have read understood and agree to the
ACS Privacy Policy
and consent to my personal information being collected held and processed for the purposes outlined in that policy
ppThanks for signing upppSorry there was an error with your requestpp
By Tom Williams on Nov 05 2025 0230 PM
pp
Print article
ppAn external software developer engaged by an Australian government agency accidentally made a collection of private documents available on the public internet earlier this year according to the nations Privacy Commissioner Carly KindppThe commissioner revealed the data breach on Tuesday and confirmed the incident was reported to the Office of the Australian Information Commissioner OAIC in the period between January and June 2025ppThe breach was classified as a Notifiable Data Breach due to its potential to cause serious harm to AustraliansppA thirdparty software developer had been engaged to work on the federal government agencys website said Kind who did not state which agency or which external provider were involvedppThe software developer ran a script on the website without authorisation from the agency which caused documents designated as private to become publicly available online and on search engines Kind wrote in a blog postppThis resulted in two separate occasions of unauthorised disclosure where documents submitted via the agencys website became publicly available onlineppThe agency in question immediately deleted all documents submitted via its website removed the documents from public view on search engines reset the file types on its website back to private and notified affected individuals after becoming aware of the breach Kind addedppThe agency allegedly advised OAIC that it already had systems in place which informed thirdparty providers that no actions were to be taken without written permission from the agencyppIt also allegedly told the regulator it would review its personal information processes for thirdparty providers in light of the data breach incidentppThe outsourcing of work to third parties has been a factor in an increasing number of Notifiable Data Breaches Kind saidppIt is important for organisations to consider the risks of outsourcing personal information handling at the earliest stage of procurementppThe case involving a thirdparty software developer and a government agency served as a reminder that organisations were responsible for the actions of external providers when personal information handling was outsourced Kind addedppOrganisations that implement strong supplier risk management frameworks together with more robust security measures can substantially minimise the impact of a data breach in the supply chain she saidpp
Privacy Commissioner Carly Kind says an increasing number of data breaches are linked to thirdparty outsourcing Image OAIC SuppliedppAustralian organisations should work with suppliers who displayed robust security controls and appropriate personal information handling measures Kind saidppThe commissioner also recommended having oversight of thirdparty providers by carrying out cybersecurity assessments and audits as well as checking their compliance with relevant security standards contractual requirements and legal obligationsppPrevious data breaches partly attributed to the outsourcing of work have included Qantas whose thirdparty call centre allowed cybercriminals access to customer information and Brisbane telemarketer Pareto Phone which was used by Australian charities and suffered a data breach in 2023ppOAIC had been notified of 532 data breaches in the January to June 2025 reporting period it announced on TuesdayppThis was a 10 per cent decrease on the previous six months when the agency saw Notifiable Data Breaches hit a record high in the second half of 2024ppKind suggested the slight drop could be due to an observed trend of fewer data breaches being reported in the second half of each calendar yearppAustralian government agencies reported 13 per cent of breaches in the latest period behind the finance sector 14 per cent and the health sector 18 per centppThe main source of data breaches reported between January and June was malicious or criminal attacks which accounted for 59 per cent of reportsppHuman error was attributed to 37 per cent of reported breaches in the period a rise from 29 per cent in the previous period while system faults accounted for only three per cent of incidentsppThe average number of people affected by breaches caused by cybersecurity incidents was just over 10000 in the latest reporting period which Kind said served as a reminder that cyber risk is increasingly prevalent and sophisticatedppOAICs latest statistics arrived as it also launched a public Notifiable Data Breach statistics dashboard which it said would be updated with its newest data every six monthsppOur goal for the new Notifiable Data Breaches dashboard is to help reporting entities learn from the experiences of others those organisations and agencies who have had to notify us of a data breach Kind saidppWe hope the tool is used to improve their own responses and reporting if a data breach occursppKnow more about this data breach Contact Senior Journalist Tom Williams via secure email at email protectedppTom Williams is a senior journalist at Information Age with key interests in consumer technology artificial intelligence quantum computing cybersecurity and telecommunications He was previously a digital journalist at ABC News where he covered technology and breaking newsppYou can follow Tom on Bluesky LinkedIn or Threads contact him at email protected and send tipoffs via secure email to email protectedp
