The blunder became known 10 minutes after email delivery

Mar 30, 2015 10:19 GMT  ·  By

Personal info of 31 international leaders participating at the G20 Summit last year in Australia has been inadvertently exposed to a third party by an employee of the Australian Department of Immigration.

The privacy blunder occurred after the employee failed to check the email address auto-fill suggestion in the Outlook client and sent the message to someone working for the Asian Cup Local Organizing Committee.

Leaders were not informed of the mishap

The two-day event was held in Brisbane, on November 15-16, 2014, and preparation took more than two years in order to make sure that no safety measure remained unexplored.

The leak was disclosed to the Australian privacy commissioner, but the G20 Summit participants whose data was exposed received no notification on the matter, according to an email obtained by The Guardian under Australia’s freedom of information laws.

Among the affected leaders are Barack Obama (President of the US), David Cameron (UK Prime Minister), Vladimir Putin (President of Russia), Angela Merkel (Chancellor of Germany), Francois Hollande (President of France), Xi Jinping (President of China), Park Geun-hye (President of South Korea), Tony Abbott (Prime Minister of Australia), Dilma Rousseff (President of Brazil), Stephen Harper (Prime Minister of Canada), Shinzo Abe (Prime Minister of Japan), and Matteo Renzi (Prime Minister of Italy).

In the letter to the privacy commissioner it is revealed that names, dates of birth, passport numbers, visa grant number and visa subclass were leaked.

Risk of misuse is minimum

The incident became known when the Department of Immigration employee received a reply to the email informing that she had sent it to the wrong person, less than ten minutes after the delivery.

As soon as this was learned, security steps were taken to make sure that the data could not be accessed by other individuals. As such, the recipient declared in writing that the message was deleted and the folder with deleted items emptied, and he also disabled any email retention period to ensure that everything was gone.

A backup copy was not created, as the process was scheduled to take place at a later time; no record exists that it has been forwarded to another email address.

Because of this, and the fact that no contact details and other associated personal data (like SSNs and their equivalent) were included, the decision was taken not to inform the leaders. Furthermore, the leaked personal data is available in the public domain.