The home affairs department exposed the personal information of more than 50 small business survey participants who were sought for their views on cybersecurity, Guardian Australia can reveal.
The names, business names, phone numbers and emails of the participants in the survey were published on the parliament website in response to a question on notice from May’s Budget estimates hearing.
The research report from firm 89 Degrees East was developed as part of the cyber wardens pilot program launched in the wake of last year’s Optus and Medibank cyber attacks, and was included in a bundle of responses about the program to answer a question from the shadow cyber security and home affairs minister, James Paterson.
The program, which went on to receive $23.4m in the May budget, is aimed at training small businesses and the workforce to be “cyber smart” and aware of possible cyber threats.
The Understanding Small Business and Cyber Security report which contained the personal information surveyed over 2,000 business owners and employees, and found 44% had experienced a cyber attack, with 29% saying they had experienced a cyber attack affecting their own personal information.
Those who participated in the survey and indicated they wanted to hear more about the cyber wardens program were included in the information. The information was removed from the parliament website this week.
Paterson said the department should be an exemplar of good cyber security practice and privacy protection.
“It’s deeply ironic this breach of personally identifiable information occurred in an answer to a question about improving cyber security for small businesses and from a department whose minister publicly attacked Optus when they had similar data stolen by a criminal gang,” he said.
“As bad Optus, Medibank and other recent data breaches have been, a loss of data on that scale by a government department or agency could be even worse given the sensitivity of the material involved.”
A spokesperson for home affairs said the department “is aware of a potentially unintentional data release” and sought the removal of the information from the internet.
“The department will consider its obligations in accordance with the Privacy Act, including contacting impacted individuals.”
The cyber wardens program is a Council of Small Business Organisations of Australia initiative delivered by 89 Degrees East that runs as a free online education course for small businesses to train employers and employees to protect their businesses from cyber threats, with the aim to train 50,000 “cyber wardens” over three years.
In June, the prime minister, Anthony Albanese, was questioned by the opposition about the $23m grants being awarded without tender, to COSBOA, which partnered with 89 Degrees East. The opposition had questioned whether there was a conflict of interest given 89 Degrees East lists the wife of the health minister, Mark Butler, as a senior consultant, when the money was approved by the expenditure review committee Butler sits on.
In parliament at the start of June, Butler said he had made all appropriate declarations to the prime minister as required by the ministerial code, and his wife’s contract had been mentioned, despite her contract having ended in 2021. He said that arrangements were in place to manage any potential conflicts of interest.
Daniela Ritorto resumed working for the firm in February this year, but quit in May. News.com.au reported that the firm had a standing agreement with Ritorto not to undertake any government work given her links to the Labor party.