Data Protection Breach

Data Protection Breach

Australia data leak: Nearly 50,000 government and private staffers' sensitive data publicly exposed

The data was left exposed due to a misconfigured Amazon S3 bucket, presumably left unsecured by a third-party contractor.

Computer code
It remains uncertain whether the exposed data was accessed by any malicious hackers before it was discovered iStock

In yet another accidental data breach, sensitive and personal information of nearly 50,000 Australians was reportedly left freely exposed online. The breach, which is reportedly now considered to be the largest since last year's Red Cross breach, affected employees of the government and private firms.

The data left exposed reportedly included names, IDs, passwords, phone numbers, addresses, credit card information, staff salary details and more. The data was allegedly left exposed due to a misconfigured Amazon S3 bucket, presumably left unsecured by a third-party contractor.

According to IT News, the breach was discovered by a Polish security researcher going by the moniker Wojciech. The breach reportedly affected 3,000 employees at the Department of Finance, 1,470 staffers at the Australian Electoral Commission, and 300 employees at the National Disability Insurance Agency. Around 17,000 staffers records from Utility UGL and 1,500 employees' data from Sydney-headquartered Rabobank were also exposed.

However, financial services firm AMP was reportedly the one worst affected by the breach, with over 25,000 staffers' records freely exposed to the public as a result of the misconfigured S3 bucket.

AMP confirmed that a "limited amount of company data" detailing staff expenses had been unknowingly exposed by a third-party contractor. "The mistake was quickly corrected once identified and the matter investigated to ensure all data had been removed. No customer data was compromised at any time," a spokesperson of AMP told IT News. "AMP treats data security very seriously and has strict policies in place regarding the handling of data with third party vendors. We are reviewing the situation to ensure standards are maintained."

"Once the Australian Cyber Security Centre (ACSC) became aware of the situation, they immediately contacted the external contractor and worked with them to secure the information and remove the vulnerability," a spokesperson for the parent agency of ACSC, the department of prime minister and cabinet, told IT News. "Now that the information has been secured, the ACSC and affected government agencies have been working with

Cyberscope Academy

Cyberscope Academy is a free Information Security course site. FREE to advertiser and FREE to learner.

According to the International Association of Privacy Professionals the staffing impact of the General Data Protection Regulation (GDPR) will be huge, with 28,000 data protection officers (DPOs) required in Europe and the US alone.

Contact Us

Colin Rawlinson Cyberscope Academy for more details.
Registered business address: 4/5 Mitchell Street, Summit House, Edinburgh, EH6 7BD, Scotland. Email:
Mobile No: 07961 535753
Aberdeen: +44 (0) 1224 531 086
Brisbane: ++ 617 3188 6222
Perth: ++ 618 6225 2101

Social Links