An online dashboard showing expressions of interests from 774,000 prospective migrants to Australia has been found to reveal personal data including partial names, ages, and status of their migration application.
The Skillselect platform was designed for skilled migrants to fill out expressions of interest (EOI) which can be viewed publicly – possibly leading to invitations for skilled work visas.
According to a report from The Guardian, it was trivially easy for a user of the public Skillselect app to find a unique identifier called ‘ADUserID’ that included a partial name and a string of numbers.
The ADUserID could then be used to drill down in the app to find other information about a specific applicant including their marital status, country of birth, and qualifications.
Cryptographer Vanessa Teague said the inclusion of the ADUserID appeared to be a “stuff up”.
“It certainly looks like if you had a hypothesis about who had applied you could guess their UserID,” she told The Guardian.
“If you can use this to pin down a specific person that you’re thinking about and from that understand what they had entered into certain categories, then that is a way to extract information you might not already have known.”
By Monday morning, the dashboard was offline and is still “unavailable” at the time of publication.
A spokesperson for the Department of Education, Skills and Employment told Information Age that the site was down while it and the Department of Home Affairs “look into the matter”.
A statement from the Office of the Australian Information Commissioner (OAIC) suggests the department's investigation was not proactive.
“Where we are made aware of a potential privacy incident or notifiable data breach, the OAIC may engage with the organisation involved to establish the facts of the matter,” a spokesperson told Information Age.
“In this instance, the Department of Home Affairs has advised that they and the Department of Education, Skills and Employment are investigating the matter.”
Under the Notifiable Data Breaches scheme, organisations with a suspected data breach have 30 days to determine if a breach has occurred.
They discover a breach, organisations must tell affected individuals if there has been “unauthorised access to, loss, or disclosure of personal information that is likely to result in serious harm”.
Board member of the Australian Privacy Foundation, Monique Mann, told The Guardian she was concerned that government departments had not identified the data breach on their own.
“What processes of auditing and oversight are occurring within Department of Home Affairs?” she said.
“This department is responsible for policing, border protection and intelligence. You would expect a greater level of information security than this.”