Your personal details could be at risk after Centrelink security breach

Centrelink has copped yet another major backlash after contact details of hundreds of users of the myGov web portal were shared with hundreds of strangers – twice. Centrelink has since apologised for the latest federal government data breach and the incident is now being blamed on a rookie email error – someone at the Department of Human Services hitting the CC button on an email instead of the BCC button. When the department realised it had disclosed the email contact details of hundreds of its customers on October 24, it tried to recall the email containing the information, but instead they only succeeded in sending it again.

Despite the privacy blunder, Human Services’ service delivery boss Darren Box still insists that myGov is the best way for millions of Australians to manage their dealings with the federal government. Mr Box says that no myGov passwords or other potentially compromising material was disclosed by the blunder. The email addresses that were made public belonged to clients who had been locked out of their account, a frequent occurrence, and asked for replacement passwords.

A user told Fairfax she was astonished to find eight pages of email addresses attached to what should have been a routine email from Human Services and to realise her own contact details had been shared.

“Privacy? Sent by their IT department,” the woman told Fairfax.

“The mind boggles.

“Just another mess from this department supposedly there to assist people.”

On the day after the leak, Mr Box wrote to hundreds of myGov customers apologising for the “administrative error”.

“As a result of an administrative error, your email address was unintentionally sent using the Carbon Copy (CC) rather than the Blind Copy (BCC) function in an email to a number of other individuals who had also requested to create a new myGov account,” Mr Box wrote

“This meant that your email address was unintentionally disclosed to the other individuals to whom the email was sent.

“In an attempt to recall this email, regrettably, your email address was disclosed to these same recipients a second time.

“I sincerely apologise for any distress that may have been caused as a result of this incident.

“Please know that your myGov and linked member service information remains secure and has not been impacted by this administrative error.

“The department takes its privacy obligations very seriously and is implementing steps to ensure this does not happen again.”

What do you think of the department’s response?