2022-09-27
27 September 2022
There are serious questions over the Australian Federal Police’s capacity to lead the investigation into serious data breaches by Optus, with two separate independent oversight reports slamming its own IT security and systems as woefully inadequate and reporting that police routinely break the law in handling data.
The Auditor General found “serious deficiencies” in the AFP’s record keeping, while the Ombudsman found police routinely break the law in handling data, casting doubt on Optus’ claim that the AFP is “all over” the investigation into its massive data breach. Remarkably the Auditor General found that the AFP ranked 156 out of 166 entities on the Australian Government’s information management maturity index.
Australian Greens Senator and Digital Rights Spokesperson David Shoebridge said:
“The AFP is acutely ill-suited to investigate the Optus data breach when we know it has an appalling track record in IT security and data handling, with reports by both the Auditor-General and the Ombudsman finding large gaps, deficiencies and in some cases illegal practices.
“Companies are harvesting our data and then leaving the doors unlocked and the windows open to hackers, and our main protections are weak laws and an ill-equipped AFP.
“A data heist of this magnitude is only possible because companies are harvesting our data and refusing to appropriately secure it, and until now the government has sided with the corporations instead of everyday people.
“This is just the latest in a long list of data breaches by some of the biggest and most profitable companies in the world - Apple, Meta, Uber and many others - they can afford to properly protect & safeguard our personal information and should be held accountable for that.
“Left alone, corporate Australia will not regulate itself, and when they fail in their obligations they should be subject to significant financial penalties.
“We’re seeing our worst data breach nightmares playing out in real time, as our existing laws and data protection systems are no match for Optus hackers.
“We urgently need to create strong digital privacy laws that start with limiting the amount of information taken in the first place and how long it may be retained. The law should prohibit, not encourage, corporations holding your passport details for six years just to get a mobile phone account.
“Australia's data protection laws are notoriously weak compared to other parts of the world- this hack would have been much less likely in Europe where data protection laws are far more stringent to protect everyday people.
“If this breach occurred in Europe then Optus would be facing fines of up to AU30 million or 4% of its annual worldwide turnover. That's the scale of penalty that encourages data protection,” Senator Shoebridge said.
Background:
Auditor-General Report into the Australian Federal Police’s Use of Statutory Powers
Excerpts from the Auditor-General's report:
Page 15:
1.16 During the audit, it became apparent that there are serious deficiencies in the AFP’s record keeping processes and practices. The ANAO considered that these deficiencies pose a risk to the AFP’s ability to achieve its core functions. Consequently, the ANAO broadened the scope of the audit to include record keeping (see Appendix 3).
Page 81-82:
29. During the audit, it became apparent that there may be weaknesses in the AFP’s IT security framework. For example, the audit team was advised that individuals’ access to folders in the network drive is not managed, with officers able to continue using and accessing folders ‘belonging’ to work areas that they left some years ago.
30. At the ANAO’s request, the AFP provided key system and network documentation and internal audit reports. While the scope of this audit did not permit a full examination or audit, on the basis of a review of the documents provided and discussions with the AFP, the ANAO considers that:
• all system and network documentation provided is significantly out of date: the Australian Government Information Security Manual118 requires that entities’ security documentation should be kept up to date and reviewed at least annually;
• many of the risk mitigations in place and assessments documented are no longer relevant because they were based on an operating system that the AFP no longer uses; and
• no current documentation was provided by the AFP to indicate that its security configurations are appropriate.
31. On the basis of the ANAO’s limited review and discussions:
• the AFP’s security management of its network and systems has gaps; and
• the AFP is not meeting the mandatory requirements of the Australian Government’s Protective Security Policy Framework.
Page 80:
Table A.1 shows the AFP’s information management maturity index scores for 2019 which shows that the AFP was ranked 156th of 166 entities.
Commonwealth Ombudsman report regarding data handling by Australian law enforcement agencies:
The Ombudsman found the AFP among other law-enforcement agencies including state and Territory police repeatedly broke data protection laws including by wrongfully accessing personal communications data and failing to properly store, protect and destroy it. Breaches have continued despite repeated previous warnings.
The report found that police forces across the country are not aware of their legal obligations for data collection, requests, record keeping and Journalist Information Warrants, and the Department of Home Affairs lacks comprehensive guidance materials for authorised officers making data requests.