Constellation Insights

Earlier this month, it emerged that a major Amazon Web Services outage was caused by an engineer making a typo while debugging a system. While not the same thing, the accidental exposure of hundreds of Australian politicians and staffers' private mobile phone numbers serves as another reminder that when it comes to security, human error can trump any number of technological measures. The Sydney Morning Herald has the details:

The Department of Parliamentary Services failed to properly delete the numbers before it published the most recent round of politicians' phone bills on the Parliament House website, potentially compromising the privacy and security of MPs from cabinet ministers down.

While in previous years the numbers were taken out of the PDF documents altogether, this time it appears the font was merely turned white - meaning they could still be accessed using copy and paste.

The only numbers absent were those of the very top cabinet ministers including Prime Minister Malcolm Turnbull, Treasurer Scott Morrison, Attorney-General George Brandis and a handful of others.

The department has blamed a private contractor, TELCO Management, for the stuff-up. 

DPS officials have since deleted the private numbers after receiving word about them from the newspaper.

"I really wish we were all a bit more self-conscious about this style of error," says Constellation Research VP and principal analyst Steve Wilson. "We have a host of office tools which are incredibly rigid when you think about it. Our computers are wretchedly unforgiving. 

"In this latest case, someone has deleted some sensitive data in a file, or they thought they had deleted it, but no, the data was still there, hidden, and it cropped up again when the file was moved to a public location," Wilson adds. 

As it happens, the Australian government is becoming a bit notorious for this kind of thing. Other recent episodes include the release of passport details of 20 or so visiting heads of state, Wilson notes. And worse, the inadvertent publication of names and addresses and other details of 10,000 refugee asylum seekers, many of whom were in personal danger in their countries of origin. "Are we just too laid back down under?" he says.

The truth is that these are the "sorts of mistakes anyone without a master's degree in computing might make," Wilson adds. "Computers are like nitroglycerine. They're kind of safe if you're unnaturally careful in the way you handle them."

Moreover, when correcting a security breach it's crucial to consider other ways compromised data may still be exposed. The website Junkee found that even after the DPS deleted the phone bills, copies of them remained available in Google's cache and the numbers were actually openly visible. They've since been removed from Google's servers.

24/7 Access to Constellation Insights
Subscribe today for unrestricted access to expert analyst views on breaking news.