G20 delegates’ personal data breached in autofill email glitch

G20 delegates' personal data breached in autofill email glitch

G20 Summit Australia world leades, image via Wikimedia CommonsWorld leaders’ personal details, including data about passports and visa status, were accidentally revealed by the organisers of the latest G20 summit, The Guardian has revealed.

Those leaders – including Barack Obama, Vladimir Putin, Tony Abbott, Angela Merkel, David Cameron, Narendra Modi and others – were supposedly kept in the dark about the data breach because it was felt it wasn’t necessary to inform them.

On 7 November 2014, the director of the visa services division of Australia’s Department of Immigration and Border Protection sent an email seeking urgent advice from the Australian privacy commissioner.

In that email, which The Guardian obtained under Australia’s freedom of information laws, the breach was blamed on an employee having emailed a member of the local organising committee of the Asian Cup and accidentally including the personal information.

The director blamed the glitch on an employee sending an email via Microsoft Outlook, which auto-filled the wrong address in the “To” field.

The cause of the breach was human error. [Redacted] failed to check that the autofill function in Microsoft Outlook had entered the correct person's details into the email 'To' field. This led to the email being sent to the wrong person.

The matter was brought to my attention directly by [redacted] immediately after receiving an email from [the recipient] informing them that they had sent the email to the wrong person.

The risk remains only to the extent of human error, but there was nothing systemic or institutional about the breach.

The director said that the breached personal information included the name, date of birth, title, position, nationality, passport number, visa grant number and visa subclass held of 31 international leaders, including prime ministers, presidents and their equivalents who attended the 2014 G20 leaders summit in Brisbane.

The letter asserts that the information likely didn’t enter the public domain, given that…

  • Whomever received the email deleted it and emptied their deleted items folder.
  • The retention period on deleted items in the sender’s account was set to 0 “to purge the item completely.”
  • There was no record of the email having been forwarded.
  • The email wasn’t backed up, given that backups run only at night.

The fact that addresses or other contact information wasn’t included in the email “limits significantly the potential risk of this breach,” the director said.

The passport data, on the other hand, could be used “for unknown purposes” by the recipient, the director’s letter said, though it seems unlikely to happen.

The Asian Cup local organising committee do not believe the email to be accessible, recoverable or stored anywhere else in their systems.

The immigration officer closed with a recommendation that the world leaders needn’t be informed of the breach of their personal information:

Given that the risks of the breach are considered very low and the actions that have been taken to limit the further distribution of the email, I do not consider it necessary to notify the clients of the breach.

She also gave assurances that she’d remind staff to double-check email recipients before hitting “send.”

Whether or not it’s legal to avoid disclosing the breach depends on which country a given world leader calls home, given that they all have their own mandatory data breach notification laws.

The office of the Australian immigration minister, Peter Dutton, didn’t respond to The Guardian’s questions, and thus it’s unknown whether or not the immigration department informed the delegates of the breach in spite of the letter’s recommendation against it.

The timing of this revelation will likely embarrass the Australian government, which just last week passed mandatory data retention laws that require telecommunications and internet service providers to store customers’ metadata for at least two years.

Our advice for email users

  • If you find autocomplete so useful that you can’t live without it, see if your email client supports the handy half-way feature of showing you a list of possible addresses as you type but never selecting one automatically.
  • If you are thinking of sending passport numbers and other PII (personally identifiable information) in an unencrypted email, DON’T!
  • Consider using an data leakage prevention product that can automatically help to spot and block egregious PII mistakes, such as unencrypted emails that contain repeated identifiers like passport numbers. This helps prevent bulk data leakages of this sort.
  • If your email automatically adds the From: addresses of received emails to your address book, turn this feature off – don’t collect data you don’t need!

Image of G20 world leaders By Agência Brasil/Roberto Stuckert Filho, via Wikimedia Commons