OAIC concludes investigation into Precedent Communications

In brief

In October 2016, a one-off human error by a Precedent Communications employee led to a massive data breach that rocked the Australian Red Cross Blood Service. The Australian Information and Privacy Commissioner, Timothy Pilgrim, opened separate investigations into both the Red Cross (please see our article OAIC concludes investigation of Australian Red Cross Data Breach) and Precedent. The Commissioner has now finished his investigation into Precedent and his conclusions have a number of lessons.

Key takeaways:

• A number of security deficiencies, each of which might by themselves appear benign, can cumulatively create the circumstances in which human error triggers a data breach. Organisations should have sufficient protections in place to ensure that even if there is a failure at one point, there are other protections in place that will stop a breach from occurring.
• Drafting policies or setting up procedures directed at data security is not sufficient to satisfy your obligations under the Privacy Act – those procedures and policies must be followed. Precedent did not have adequate procedures in place to begin with. But even where it did have procedures directed at data security, those procedures were either not implemented or were not consistently applied across its business. A similar situation arose with Telstra's 2011 data breach, where the names and service details of 734,000 customers were visible over a public internet page. The most damning error in that case was that Telstra staff became aware of the problems with their system but did not escalate them appropriately. In that investigation, the Commissioner found that Telstra had adequate and comprehensive procedures in place but did not follow them.¹

What happened?

Precedent managed the website www.donateblood.com.au for the Red Cross. The website's User Acceptance Testing (UAT) environment was hosted and managed by Precedent directly, and contained a copy of all data entered into the live, user-facing version of the Donate Blood website.

A Precedent employee who was asked to modify a feature on the Donate Blood website created a backup of the UAT database file on the UAT environment before making any changes to the system. Instead of saving this data file (which contained the registration information of 550,000 prospective donors) to a secure location, the employee inadvertently saved it to a publicly accessible portion of the web server on which the UAT environment was implemented.

For more information on the post-incident response, please see OAIC concludes investigation of Australian Red Cross Data Breach in the September edition of Pulse.

Precedent's practices at the time of the breach

Although human error caused the breach, the Commissioner found that Precedent did not have adequate measures in place at an organisational level to protect against that risk, and to ensure that its policies and procedures for protecting data were consistently applied.

In the investigation, a number of key failings were identified regarding Precedent's management of the Donate Blood website. These included:

• Technological safeguards: IP authentication was supposed to be implemented for all client environments, including test environments. IP authentication was not implemented for the Donate Blood website because of a technical incompatibility with a cloud service the Red Cross used. Any internet user was able to access the relevant server if they knew where to look.
• Risk assessment: A 'risk register' was to be completed at the start of every client project. No such register was completed for the Donate Blood project because Precedent considered it a 'support agreement' and not a project. Precedent did not identify a possible data breach as a risk at any time.
• Organisational safeguards:
  • Live data, instead of dummy data, was tested on the UAT environment. Dummy data would have been adequate, and Precedent did not have any processes to monitor or control the possibility of human error in the testing process.
  • Precedent's 'Risk Management Policy' failed to discuss information security relating to the management of personal information or any procedures that Precedent employees needed to follow regarding its privacy obligations.
  • One of the employees involved in the data breach had not read Precedent's 'Data Protection Policy' at the beginning of their employment.
  • The two Precedent employees involved in the data breach were not provided with any additional privacy training.
  • Precedent had failed to undertake the measures necessary to determine the adequacy of its existing security measures.²

Outcome of the OAIC's investigation

The Commissioner found that Precedent failed to adequately mitigate against the foreseeable risk of human error resulting in a data breach. Precedent also did not take reasonable steps to protect the personal information held on the Donate Blood system.

Steps taken by Precedent

Since the data breach, Precedent has undertaken technical, procedural and organisational remediation steps to enhance its privacy and data security safeguards.

Precedent has also provided an enforceable undertaking with the Commissioner's office to:

• establish a data breach response plan;
• update its privacy and data protection policy; and
• ensure that all staff members receive privacy training.