A government auditor from Western Australia kept information about every police officer in the state on their laptop, which the corruption watchdog has described as “naïve and silly in the extreme”.
The Corruption and Crime Commission’s latest report revealed the watchdog had received “allegations of serious misconduct” in February 2019, leading to an investigation named Operation Phoenix.
The investigation found two employees from the Office of the Auditor General had accessed information on fellow staff members, including the credit card information and meeting notes of the auditor general, Caroline Spencer.
One of the employees had stored some of the information on his personal computer.
Commissioner John McKechnie said he was shocked by the findings.
“The outcome is startling. Two auditors, each a certified practicing accountant, had routinely accessed confidential information about other OAG officers, including payroll details and other private and confidential information,” he wrote.
“They were able to access confidential information within OAG because it was not properly protected. Once an officer in OAG logged on using a password, that officer had access to all of the OAG systems, including access to TRIM, a record management system.
“The potential for others to acquire this information is a serious misconduct risk. It can be used for personal gain. It can be sold to criminals.”
The investigation also found one of the employees had “obtained and retained access to the names and addresses of every serving police officer in WA, some years after completing an audit of the WA Police Force”.
The employee was an auditor and had been involved in financial audits of the WA Police Force, Department of Justice, and Corruption and Crime Commission.
The names of 8800 officers, employees, and contractors were stored on a spreadsheet on a laptop computer, the report noted. OAG was unaware until the laptop was examined as part of Operation Phoenix.
The information dated back to 2015.
The report said that while there was no evidence the data was shared with others, the misconduct risk was “obvious”, and described the employee’s actions as “naïve and silly in the extreme”.
“The information was less than five years old. Its value to criminal elements could be immense,” it said.
Another employee, former OAG assistant director Yusoof Ariff, was found to have deliberately destroyed an IronKey — an encrypted USB portable storage device — by entering the wrong password 10 times.
The report noted Ariff claimed he was simply “angry at the time”, but proposed “another more sinister explanation”.
“Mr Ariff destroyed the IronKey because he did not want an examination of what had been stored on it, or what had been done with data from it,” the report said.
“In examination, Mr Ariff stated he stored everything work related on the IronKey. Destruction of the IronKey prevents the commission from confirming precisely what was on the IronKey. The commission is unable to determine whether the true purpose was: anger, concealment, or something else.
“In the circumstances, an opinion of serious misconduct is appropriate.”
The CCC said the report highlighted numerous misconduct risks, including: the easy transfer of data which could potentially be misused; identity theft, facilitated by access to payroll systems; access to home addresses which may be used for intimidation or other serious criminal offences; access to confidential information which could be used to blackmail or manipulated for personal gain; and the risk of organised crime targeting public servants for information.
It argued public authorities should:
- take urgent action to ensure appropriate security classifications and restricted accesses are in place in respect of the various classes of information held by each authority,
- further examine controls over access to confidential information,
- subject information of a highly confidential nature, such as police officers’ names and addresses, to rigorous protections, both before, during and after audit. Specifically, OAG should review its procedures to ensure that following an audit, data is only retained in a secure location,
- ensure confidential material used for an audit by the OAG remains confidential at the conclusion of the audit,
- consider their policies with respect to securing confidential information and ensure that regular internal checks are conducted to identify and deter unauthorised accesses and disclosures,
- consider whether there are gaps in the security of confidential information and, if so, engage in training and education initiatives to raise awareness around identification, detection, prevention and reporting information misuse.