The personal details of nearly 10,000 people seeking asylum in Australia – unlawfully posted online by the Australian government – were accessed by people in foreign countries, including China, Russia, Egypt, and Pakistan, and from masked anonymous locations.
New documents show the information was allegedly used to threaten asylum seekers, and to persecute their families.
The Department of Immigration and Border Protection – now home affairs – was alerted to its massive accidental data breach by a Guardian investigation in February 2014.
A compensation claim on the breach is being heard on Monday morning in the Administrative Appeals Tribunal. The total payout could run to tens of millions of dollars.
The personal information of 9,528 people then held in immigration detention – including full names, citizenships, dates of birth, location and period in immigration detention – was publicly available online on the department’s website for eight days in early 2014. More than 2,500 of them were children.
In January, the office of the Australian information commissioner ordered the Australian government to pay compensation to nearly 1,300 people from that group who mounted a class action against the government, arguing that the exposure of their information could leave them vulnerable to persecution if forced to return to their home countries.
The payout model put forward by lawyers for those affected proposes at least $10,000 in compensation for each person for the impact on their privacy and human rights, with additional payments, possibly more than an additional $25,000, for people acutely affected by their private information being released. The OAIC has proposed a range from $500 to more than $20,000.
Newly available tribunal documents reveal that, while most IP addresses accessing the information were Australian, there was access from at least 11 other countries, including China, Egypt, the Russian Federation, Pakistan, Malaysia, and India. It was also accessed from anonymous locations.
The report, a Microsoft excel document, was directly accessed 123 times by 104 unique IP addresses. It was downloaded at least 26 times, the department says. The report was also available on the internet archive for 16 days: it is not known how many times, and from where, it was accessed there.
According to submissions on behalf of the affected people, the data breach has been used against asylum seekers and, in some cases, led to their families in their home countries being threatened.
In one case, a verdict in a foreign court explicitly referenced the data leaked on the Australian government website as evidence that a person linked to an asylum seeker then in Australia had helped the asylum seeker flee their home country. The person was jailed as a result.
“Multiple class members [asylum seekers] have provided documentary evidence of repercussions against their families upon their protection applications becoming known, after the data breach,’’ documents before the tribunal state.
“The risk of this information being accessed by authorities is now realised, and if they were to attempt to return home they would be at a high risk of being persecuted by authorities, or of having their families persecuted.”
The department sent emails and letters to those people whose privacy had been breached. Not all were able to be reached. Some had left Australia, and at least 172 were not sent notices because they had died, according to the department’s records.
Slater and Gordon, acting for the asylum seekers, said the loss of the personal information was especially damaging for people seeking asylum. “The immense fears flowing from the data breach are well founded,’’ the legal firm said.
“The data breach is a particularly serious one, and the consequences of the breach may yet be particularly harmful.”
Slater and Gordon has argued that the secretary of the department should reconsider applications for protection visas made by class members, but that were refused, in light of the data breach.
“The loss of the confidential nature of the information cannot ever be rectified – on the secretary’s own evidence, it seems that there is no way to know where the information currently is or how far it has (or will) spread; there is no suggestion or sense that the sensitivity of the personal information or the potential risks posed by its disclosure will diminish materially over time (particularly in cases of class members who have left behind relatives or close friends or associates in their former countries),” the firm said.
The department, in documents before the tribunal, said as soon as it was alerted to the data breach by the Guardian, it took steps to remove the document within 45 minutes. It wrote to those affected “to alert them that the inadvertent disclosure of their personal information had occurred and to express the department’s deep regret that it had inadvertently allowed potential unauthorised access to the individuals’ personal information”.
In this correspondence, the department noted that it would assess any implications for the individuals as part of its normal processes, and that individuals could also raise concerns during those processes.