Human error tests agency safety
Human error rather than complex cyber attacks are responsible for most security breaches at Australia's corporate regulator and Tax Office, with reports of strangers found walking around buildings and staff accidentally donating confidential papers to charity.
The Australian Securities and Investments Commission has reported 11 unauthorised entries to its offices including a staff member's friends and family, a tourist, a homeless person, a thief trying to break into its bike shed and a lost "Asian man".
It also reported a Chinese delegate taking photos in its Sydney offices, an incident that was later confirmed by security cameras. The images were "forwarded to appropriate authorities".
On a more serious note, ASIC also reported an unsuccessful job applicant "applied for the corporate credit card giving fraudulent email address", but was stopped "before anything could happen", and that someone under investigation for identity theft accessed ASIC's computer system. In 2009, eight laptops were stolen from ASIC's IT department.
The data was released under a freedom-of-information request of all security breaches over the past four years.
Similar reports from Treasury and the Department of Finance also reveal a small number of phones and laptops have been lost or stolen in the past four years: 25 devices across both departments. All were encrypted and information could be wiped as soon as they were stolen, so the departments think the risk of losing information was low.
Treasury staff have lost a handful of USB sticks and modems and one teleconference "sound station".
Finance reported 11 attempts to intrude or deny service on government websites and its network.
Tax Office chief technology officer Todd Heather said the ATO sees regular attempts to break into its website, but none were successful in the past four years.
"We tend to get a flurry of [internet] attacks during school holidays. We see regular traffic attempting to probe us to see if we are vulnerable," he said.
The ATO revealed that in 2012 a woman bought a satchel from an op shop and found a nine-page client report marked "ATO In-Confidence" inside. The buyer "happened to be the spouse of an ATO officer" and returned the documents. The satchel also contained business cards that led directly to the culprit.
ATO's report reveals a substantial increase in email breaches between 2009 and 2010 following the introduction of a detection system. There were 22 breaches in 2009, but this jumped to 211 breaches in 2010. The figures dropped to 114 breaches in 2011 and 110 in 2012.
Chief knowledge officer Bruce Thompson said the ATO found many breaches were staff emailing documents to personal accounts to be worked on at home. Nine staff were disciplined, losing up to 3.5 per cent of their pay for a year.