The Department of Foreign Affairs and Trade (DFAT) has accidentally leaked the private email addresses of thousands of vulnerable Australians stuck overseas due to coronavirus restrictions.
Several emails sent in batches from DFAT on Wednesday contained information about two types of interest-free emergency loans available to Australians stranded overseas in vulnerable financial positions.
In an email obtained by HuffPost Australia, almost 1,000 private email addresses are visible in the header.
DFAT immediately recalled the email and apologised to recipients, but one recall email shows email addresses again visible in the email’s header.
Usually with private mass emails like this, the sender uses the BCC tool, which stands for “blind carbon copy” — this is a way of sending emails to multiple people without them knowing who else is getting the email. DFAT CC’d more than 1,000 people, who could all see one another’s private email addresses.
An Australian stranded in the United Kingdom, who requested anonymity due to privacy concerns, said they were “disgusted” at the leak, which raised cyber security concerns for thousands of Australians in vulnerable situations.
“I’m quite disgusted about this mistake and feel like our situations are being made into some kind of joke. I feel like we are being trolled by the government,” the source said.
“Other than the chance of receiving unwanted junk emails, I can’t help but worry about people in more vulnerable positions being scammed in desperation of getting home,” the source added. “The information we completed included our passport details — how safe is that data, if a simple BCC has been missed?”
Apology Email ‘Not Good Enough’
The number of Australians allowed to return home has been limited to 4,000 a week since July, which has caused chaos for at least 27,000 Australians who remain stuck overseas, though the Board of Airline Representatives of Australia puts that number closer to 100,000.
Many stranded Australians are complaining of repeated flight cancellations or being “bumped” off flights in favour of business- or first-class passengers, sometimes within hours of departure. Ghost planes are flying into Sydney, Perth, Adelaide and Brisbane sometimes with as little as four people in the economy cabin.
Australians overseas say they feel “betrayed” or “abandoned” by the government, and have called on DFAT to improve its response.
Another Australian, stranded in Germany, who also requested to remain anonymous, said the breach compounded feelings of frustration amongst the community of Australians stranded overseas.
“We were told to register with the government because they would help us come home, but so far there has been no meaningful help — all they have managed to accomplish is a breach on our personal data, putting already desperate people in an even more vulnerable situation,” they said.
“What will happen to people who may be scammed with fake repatriation flights as a result of this? How do we know which further emails from the government are genuine?”
“A sorry email doesn’t seem good enough,” they added.
Data Breach An ‘Unacceptable’ Additional Stress On Australians Stranded Abroad
DFAT on Wednesday tweeted an apology for the gaff which involve 2,727 email addresses.
“DFAT is reviewing its internal processes and has taken additional measures to ensure this mistake is not repeated,” a Department of Foreign Affairs and Trade spokesperson told HuffPost Australia.
Dr Bruce Baer Arnold, Vice Chair of the Australian Privacy Foundation said the bungle was “consistent with laziness and lack of responsibility.”
“This appears to be the standard BCC problem in Australian government and business. It’s a simple and very avoidable error,” Dr Baer Arnold told HuffPost Australia. “It reflects corporate disregard, weak law and weaker enforcement by under-resourced timid regulators such as the Office of the Australian Information Commissioner (OAIC).”
Pieter den Heten, who founded the Remove the Cap website that maps out Australians stranded overseas in more than 40 countries and manages a Facebook support group for Australians unable to return home, said the data breach was an “unacceptable” additional stress on people in already vulnerable situations.
“Pairing the content of these emails with the leak of private email addresses, it isn’t an unfair assumption that you could figure out someone’s identity, and that they are experiencing (financial) hardship or are otherwise in distress,” den Heten said.
“This is unacceptable considering many people are in particularly vulnerable situations, often alone in foreign countries under less-than-ideal circumstances. I really don’t want to speculate what you can do with just this information, but it can definitely open a door for people with bad intentions,” he said. “This notion causes a lot of additional stress to the people affected.”