Search
Close this search box.

Ex-contractor accessed Govt systems 260 times a year after leaving

Share:

Former department breached privacy laws over an extended period

In a story that is a horrific example of what can go wrong from a cybersecurity perspective for government agencies, the Office of the Victorian Information Commissioner’s (OVIC) has made public findings that an ex-contractor was able to access a key Victorian government IT system 260 times in the year after leaving the service provider for which they worked.

The case exposes the failings in employee off-boarding and access management in a key Victorian government agency.

The ex-contractor in question was previously stood down from another agency (which dealt with youth-related affairs) over allegations that he may have accessed child pornography while working there.

OVIC made the revelation in its investigation into a data breach at the former Department of Health and Human Services (DHHS), which took place between September 2017 and October 2018.

OVIC was notified of the breach in December 2018 after the former employee of an unnamed contracted service provider (CSP) was identified as having accessed personal information on the client relationship information system for service providers (CRISSP).

The individual had worked for the CSP as a case worker between April 2016 and September 2017, but after ceasing employment had “continued to access CRISSP without authorisation to find information about individuals recorded in CRISSP”.

A log check by DHHS (now the Department of Fairness, Families and Housing [DFFH]) revealed that the former CSP employee had “accessed CRISSP without authorisation 260 times between 13 September 2017 and 6 October 2018 involving 27 clients of the CSP”.

During this time, the individual was briefly employed at another “youth-focused service provider”, but was stood down in or around February 2018 over allegations that he may have accessed child pornography.

However, it was not until October 2018, when a Department of Justice and Regulation employee noticed that the man had continued accessing CRISSP, that his access was revoked.

OVIC’s investigation – which was completed in May 2020, but was not immediately published due to a separate criminal investigation into the former employee – found that both DHHS and the CSP contravened the state’s information privacy principles (IPPs).

The watchdog said the breach was caused by “a failure by [the former employee’s] supervisor to initiate the process to terminate… access to the CRISSP when he no longer needed access to the system”.

“This failure could be described as human error because it was contrary to the CSP’s processes for deprovisioning access to CRISSP,” the report said.

“This failure was due to an inadequate handover when one manager departed the role and another took over.”

The breach was also caused by “the absence of any effective secondary procedure or system for when the primary mechanism for terminating a user’s access to CRISSP failed.”

“Neither DHHS nor the CSP had an effective secondary procedure or system in place,” OVIC found.

OVIC said the CSP contravened IPP 4.1 by “not having any mechanisms in place to account for the risk of human error in the deprovisioning process for CRISSP”, noting that it had “made significant improvements to its off boarding processes since”.

Under IPP 4.1, organisations, including contractors, are required to “take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure”.

DHHS also contravened IPP 4.1 for “failing to conduct any privacy or security checks on the CSP between 2008 and 2018” and “failing to take steps to confirm the currency of the CRISSP user list between 2008 and 2018”.

The ex-contractor in question was previously stood down from another agency (which dealt with youth-related affairs) over allegations that he may have accessed child pornography while working there.

“The deputy commissioner found that DHHS did not do enough to both support the CSP and to seek assurance that the CSP kept user access lists for CRISSP up to date,” the report said.

“… Regular monitoring of the ways in which the CSP was meeting its privacy and security obligations was a reasonable step expected to be taken by DHHS to protect the information in CRISSP.”

OVIC recommended the CSP conduct checks of CRISSP user access against payroll and other staffing records every three months and train its staff about privacy and security policies, which the organisation has now done.

Despite showing “insight and a willingness to admit and address the issues that contributed to the breach”, the department was also issued with a compliance notice after the deputy commissioner deciding to “exercise her discretion”.

“The CSP has implemented the recommendations made to it and DHHS (now the DFFH) is on schedule to complete all the specified actions required by the compliance notice,” Victorian information commissioner Sven Bluemmel said.

“Both organisations cooperated fully with the deputy commissioner’s investigation and demonstrated a willingness to improve their practices and learn from the incident. They recognised the incident’s gravity and responded appropriately.”

Bluemmel added that “outsourcing arrangements cannot be ‘set and forget’”, and that a government agency “retains both a legal and a moral duty to protect the personal information it collects, uses, holds, and discloses” when it shares access to its systems”.

“Government organisations can outsource the management of a program, but they cannot outsource this responsibility,” he said.

Picture of Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Contact

Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Company

Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →

Services

Services

Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl
360

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution

Solutions
Resources

Resources

A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →