Australia's Department of Social Services has notified thousands of current and former employees that their personal and financial data has been breached and exposed for over a year.
The department sent emails earlier this month to 8,500 employees notifying them of a "data compromise relating to staff profiles within the department's credit card management system prior to 2016," the Guardian first reported.
The compromised data included employees' names, usernames, work phone numbers, work emails, system passwords, Australian government services number, credit card information, public service classification and organisation unit.
The data was managed by a third-party contractor called Business Information Services (BIS). A DSS spokesman told Guardian Australia that the sensitive data was left exposed from June 2016 until October 2017. The compromised information was dated between 2004 and 2015.
The Australia Signals Directorate notified the DSS about the data leak on 3 October, the spokesman said.
"The Australian Cyber Security Centre immediately contacted the external contractor to secure the information and remove the vulnerability within hours of notification," the spokesman said.
The letter sent to employees from DSS chief financial officer Scott Diley reportedly said "the actions of the department's third-party provider" were to blame for the breach. It noted that the intrusion was "not a result of any of the department's internal systems."
"The data has now been secured," Dilley wrote, adding there is currently "no evidence" to suggest that the data or the department's credit cards were improperly used so far. The DSS has advised employees to change their passwords and those of any other websites or applications if they use the same credentials across multiple platforms.
According to BIS, the breach occurred due to a "control vulnerability." As a result, some historical information about DSS employees' work expenses was "vulnerable to possible cyber-breach," a spokeswoman said.
She added that the compromised data included "partially anonymous work-related expenses" such as "cost centres, corporate credit cards without CCV and expiry dates, and passwords that were hashed and therefore not visible." Most of the credit card details included in the breach had expired, she noted.
BIS said the vulnerability was "secured within four hours" and said the data was no longer publicly accessible. The private company is now conducting a security review into the exposure. However, it reportedly categorised the vulnerability as "low-risk."
Social Services minister Christian Porter has ordered an investigation into the data leak. News of the major data breach has prompted a backlash from the Australian Greens with many blaming outsourcing for the exposure.
Greens Senator Rachel Siewert said the data leak "demonstrates the risks of outsourcing work on sensitive material to private contractors".
"The federal government is continually looking to outsource and privatise department and Centrelink services, and here is another example of the associated risks," she said. "Handing sensitive material to private contractors who do not have the same checks and balances means that breaches are more likely to occur.
"Rather than see these incidences as a red flag, the Government is pushing on with privatisation, recently announcing they will hire more privately contracted staff to prop up the robo-debt scandal. I have no doubt that sensitive material will change hands and clearly this puts the confidential details of Australians at risk."