Something that many experts have warned is entirely predictable – taking into account both the quality, or lack thereof, of proper oversight, has unfortunately come to pass in Australia. There, data from over half a million check-ins performed using Covid measures-mandated QR codes has been compromised.
The huge leak – from some 566,318 locations – has embarrassed the New South Wales (NSW) government, which put the mandate in place via its Customer Services Department, saying at the time it was to protect Australians in the pandemic.
Contained in this data are not merely locations, but also addresses from other Australian states of entities eager to comply with the measures from outside the NSW who did business there – hence this data breach mayhem affects the whole country.
Instead of being protected, it now turns out citizens are in danger as the authorities uploaded a list of various places, such as shelters for victims of domestic abuse, defense facilities (including a missile unit), essential public infrastructure like tunnels and power stations, and prisons.
In New South Wales, what’s elsewhere known as government “incompetence” is apparently called “an error,” and so the state’s premier, Dominic Perrotte, said that’s how the list got uploaded. Reports say the leak happened last September, when it was discovered by security experts, but Australians are only learning about it now.
In October last year, the NSW data website did post a cryptic message saying that the Covid Safe Businesses and Organizations dataset had been discontinued due to unidentified “issues with integrity of the data.”
Terry O’Gorman, a civil rights advocate and lawyer, doesn’t think there appears to be much doubt as to what happens next:
“If there has been, as it appears on its face, to have been a significant breach, then (the) relevant state government department must be prosecuted.”
But there’s another angle to the affair: given the sensitive nature of the data, actually publishing it – ostensibly rather than simply reporting to the public that the incident occurred – makes the situation even worse.
O’Gorman questioned the thinking behind the decision to now make the information available, while Full Stop Australia advocacy group said that making publicly known the location of centers that accommodate domestic abuse victims “could be a matter of life and death” for them.
Those whose location data has been compromised could perhaps find solace in the fact that reports are saying “the NSW Government said the Privacy Commissioner told it ‘the incident did not constitute a privacy breach.'”