Immigration officials remained tight-lipped in Senate estimates under sustained questioning about the reported theft of devices containing highly sensitive information about asylum seekers at the Nauru detention centre earlier this year.
The incident is under investigation by both the Australian Federal Police and former integrity commissioner Phillip Moss, as part of his inquiry into allegations asylum seekers were abused on Nauru. Beyond that, senior public servants from the Department of Immigration and Border Protection were unwilling to say much or even explicitly confirm the incident took place.
Senator Kim Carr recapped the incident in a question to DIBP bureaucrats in Monday’s estimates hearing concerning the portfolio:
“The assertion is that [the alleged theft] involves detainees’ complete personal details, case files and medical histories, as well as their protection claims detailing why they have felt forced to leave their home country to claim asylum in Australia. It is reported that the stolen files contain caseworkers’ notes on detainees, including mental health and behavioural issues, complaints about treatment and allegations of abuse, and the minutes of ‘vulnerable minors’ meetings, where the issues faced by children in detention were discussed. Did that occur?”
Secretary Michael Pezzullo was only willing to say he was “aware of those media reports”, and later stated he personally had “nothing to go on other than the same report” Carr had read and summarised in his question.
There were reports in early September that the alleged theft was under investigation by Save the Children, which managed the family section of the Nauru detention camp where it was said to have occurred, and as such was “responsible for the stored data”. One hard drive, according to the unnamed source in the report, was bizarrely labelled “Do not steal”.
Last week, The Guardian reported that Wilson Security had “promised to review security in response to the thefts” and provided new sources backing up claims that the detention facility lacked basic secure storage facilities.
Deputy secretary Mark Cormack confirmed the allegations that “a USB drive and some hard drives have been misplaced or possibly stolen” were indeed under investigation by both the AFP and the Moss inquiry:
“We have received advice from the service provider as to the loss of some computers and drives. To the extent to which they are telling us the truth — and I have no reason to doubt that they are telling the truth—that has formed the basis of our concern.”
Carr pressed on, saying he assumed the department must have believed the events occurred for it to refer the matter to the AFP. Cormack replied:
“We have very strong advice and receipted information that those events have occurred, and that is why we have undertaken the necessary referrals.”
The DIBP officials refused to provide any detail about the information the department received or which service provider it came from, but that did not prevent Carr from seeking to confirm his belief it was Wilson Security — a question ruled out of order by committee chair Senator Ian MacDonald.
“It should not be taken as assumed that any such theft of information, if it occurred, was in fact by an employee of that company,” Pezzullo cautioned. “It could have been through a subcontractor or another person known to the company.
Carr sought to link the Nauru incident to another completely unrelated information security breach, in which personal details of about 10,000 asylum seekers were accidentally made available online in February. A review of that mistake by KPMG led to revised training and new procedures for staff who upload information to the public website. Deputy secretary Liz Cosson explained:
“We have also looked at sanitising information before the upload. Within a secure environment, they have an automated practice now where, for any information that looks to be a document that we want to upload, they make sure that there is no link to underlying data.”
Cosson said the department had also implemented some changes to information security based on “penetration testing” conducted by the Australian Signals Directorate late last year. Did it, asked Carr, “go to the circumstances such as we have just discovered at Nauru?” Pezzullo explained that the loss or theft of physical hard drives is not the sort of thing covered by such vulnerability assessments:
“They test the department’s core systems — how far, to use a proverbial term, hackers can get into your system, what your level of confidence is that you have layered defences against those activities.
“[The alleged Nauru incident] really relates to data integrity in a different manner — that is, the conscious theft of data, in this case potentially by persons who are not necessarily Commonwealth employees. We will need to look at those vulnerabilities in the context of Mr Moss’s report.”
Pezzullo said there was no reason to take action based on the “hypothesis” that data storage devices could not be secured and had been stolen on Nauru:
“How do we prevent the theft of that information? Frankly, until Mr Moss reports, I do not know that there is a problem. If there is a problem and Mr Moss advises accordingly, we will take action.”