Home Affairs possible SkillSelect data breach
The Guardian Australia is reporting that Home Affairs may have exposed personal details of 700,000 migrants, in what privacy experts say is a ‘very serious’ data breach.
The reported breach in the SkillSelect platform has the potential to reveal the personal details of 774,000 migrants and people aspiring to migrate to Australia, including partial names and the outcome of applications going back to 2014.
This could not have come at a worse time for the Australian Government, which is asking Australians to place their trust in them and download the COVID-Safe contact tracing app.
The SkillSelect platform, which is hosted by the Department of Education, Skills & Employment, invites skilled workers and business people to express an interest in migrating to Australia.
Expressions of interest are stored for two years and displayed on a publicly available app, advertised on the Home Affairs website, allowing them to receive invitations for skilled work visas.
With just two clicks, users of the app can view a range of fields including the applicants’ “ADUserID”, a unique identifier composed of partial name information and numbers.
Other information available includes the applicants’ birth country, age, qualifications, marital status and the outcome of the applications.
By applying multiple filters, a user could narrow down an expression of interest to a single entry, revealing the other details of the applicant.
Monique Mann, an Australian Privacy Foundation board member, told Guardian Australia the breach was “very serious … especially at a time where the Australian government is expecting trust”.
Mann accused the federal government of a “consistently poor track record that shows that we cannot trust them with our personal information” – citing “blunders” including the My Health Record, robodebt and 2016 census.
Mann said it was a further concern the department had not identified the breach itself.
Following the revelation by Guardian Australia, the platform has apparently been taken offline.