Russian Dolls 101: news of historic Australian security breaches discovered nested inside a more recent national security breach

Opps, the Australian Federal Police (AFP) permanently lost 707 Cabinet and National Security Committee documents between 2008 and August 2013.

 The general public find out about these losses approximately four to ten years later in January 2018, when mention was made of the situation in one file document within thousands of other top-secret and highly classified documents obtained by the ABC after yet another security breach involving Cabinet papers and other classified files found in old government locked filing cabinets sold at public auction in Canberra.

Even John le Carré would have thought this plot line was nigh on unbelievable - but then he didn't know our very own federal bureaucracy.

ABC News, 31 January 2018:

The Australian Federal Police (AFP) lost nearly 400 national security files in five years, according to a secret government stocktake contained in The Cabinet Files.

The Department of Prime Minister and Cabinet regularly audits all government departments and agencies that have access to the classified documents to ensure they are securely stored.

The missing documents are not the same files the ABC has obtained.

The classified documents lost by the AFP are from the powerful National Security Committee (NSC) of the cabinet, which controls the country's security, intelligence and defence agenda.

The secretive committee also deploys Australia's military and approves kill, capture or destroy missions.

Most of its documents are marked "top secret" and "AUSTEO", which means they are to be seen by Australian eyes only.

An email exchange between the cabinet secretariat and the AFP reveals the documents were lost between 2008 and 2013……

Troop deployments in Afghanistan and Iraq, counter-terrorism operations, foreign relations and Australia's border protection were among the top-secret and sensitive issues decided in the five-year period.

The cabinet secretariat's general practice was to give up searching and write off lost documents if they could not be found after consecutive audits, according to another document in The Cabinet Files.

Of course it is only three or four years ago that nearly 5,000 secret, confidential and restricted documents from two major federal departments held in a "B Class" secure container ended up in a recycling yard in Canberra.

There was an internal inquiry at the time but that obviously didn't translate into accounting for the whereabouts of all secure containers/filing cabinets and safes holding sensitive documents.

Given the fact that Australia's public broadcaster actually had possession of documents in the latest security breach, rather belatedly the secutity services began to care about national security.

ABC News, 1 February 2018:

ASIO officers have moved to secure the thousands of top secret and classified Cabinet files obtained by the ABC, in early morning operations in Canberra and Brisbane.

Officers delivered safes to the public broadcaster's Parliament House Bureau and South Bank studios around 1:00am, just hours after the massive national security breach was revealed.

The ABC still has access to the documents, now kept in the safes, and negotiations are still underway between lawyers for the ABC and the Department of Prime Minister and Cabinet (PM&C).

The department launched an urgent investigation on Wednesday, after it was revealed the trove of documents had been discovered in two locked filing cabinets offloaded to a second-hand furniture depot in Canberra.

The Department of Prime Minister and Cabinet (PM&C) launched an urgent investigation into how the massive breach occurred, within an hour of the ABC revealing the trove of documents.

But the ABC understands the Australian Federal Police (AFP) are yet to join the inquiry.

* Russian Doll pic found at Google Images

Things you should know if you are logging on to a website using your Facebook account

Facebook for developers

The Daily Telegraph, 5 January 2018:

Ian Cox of Supremo.tv said: “If you’ve ever pressed ‘Login with Facebook’ on a website, you’re giving Facebook permission to share sensitive data with the site you are visiting.

“This includes, for example, your personal email address, where you live, where you work, details about your relationship, places you have recently been and who you’re friends with.

“In today’s digital age, people are sharing just about everything on social media sites like Facebook. But most are unaware of just how much can be seen by brands, businesses and, in some cases, criminals.

“The best way to stay protected online is to only share what you would be happy with the whole world seeing.

“As tempting as it may be to rejoice about the fact that the whole family is going on a weekend away, keep in mind that you may be inadvertently letting criminals know that your house is empty during this time.”

WHAT INFORMATION CAN FACEBOOK SHARE ABOUT YOU?

* Your public profile (name, age, gender, location, profile picture, timezone)

* All your likes

* Your friends

* Where you are now

* Your email address

* Your photos

* Your “about me” section

* All your posts

* Your birthday

* Your relationship details

* Your education history

* Your religion/politics

* Events you’ve been to

* Your work history

* Where you are from

* Your phone number

Crime trends in the Clarence Valley October 2007 to September 2017

In the ten years between October 2007 and September 2017 crime trends in the Clarence Valley Local Government Area have remained numerically and statistically small in 5 crime categories covering murder and violent robbery.

While crime trends remain stable in 6 crime categories (assault unrelated to domestic violence, sexual assault & other sexual offences, stealing from a car and stealing from a store ) and fallen in another 4 crime categories (stealing motor vehicles and break, enter dwellings & non-dwellings and malicious damage).

Crime trends have only risen in 2 out of 17 commonly listed crime categories over these ten years – Fraud up 10.5 per cent & Assault –Domestic Violence Related up 3.6 per cent.

October 2007 to September 2017

Fraud, Clarence Valley Local Government Area

Statistically significant Upward trend over the 120 month period.

The average annual percentage change was: 10.5%

October 2007 to September 2017
Assault - domestic violence related, Clarence Valley Local Government Area

Statistically significant Upward trend over the 120 month period.
The average annual percentage change was: 3.6%

Other crimes that are often mentioned whenever the subject of crime arises.

October 2007 to September 2017
Sexual assault, Clarence Valley Local Government Area

No statistically significant upward or downward trend over the 120 month period.

October 2007 to September 2017
Indecent assault, act of indecency and other sexual offences, Clarence Valley Local Government Area

No statistically significant upward or downward trend over the 120 month period.

October 2007 to September 2017
Break and enter - dwelling, Clarence Valley Local Government Area

Statistically significant Downward trend over the 120 month period.
The average annual percentage change was: -5.5%

October 2007 to September 2017
Motor vehicle theft, Clarence Valley Local Government Area

Statistically significant Downward trend over the 120 month period.
The average annual percentage change was: -4.2%

October 2007 to September 2017
Malicious damage to property, Clarence Valley Local Government Area

Statistically significant Downward trend over the 120 month period.
The average annual percentage change was: -5.9%

As for drug and alcohol offences in the Clarence Valley Local Government Area (est. resident population 51,367), the data collected over the ten year period revealed that cannabis cultivation was stable but possession and use of cannabis had risen over that period. While possession and use of cocaine, ecstasy,narcotics and other drugs was numerically small and statistically insignificant over those same ten years.

Click on images to enlarge

Selected crimes across 17 major crime categories.

Clarence Valley Local Government Area Crime Trends - October 2007 to September 2017 by clarencegirl on Scribd

NSW Bureau of Crime Statistics and Research Crime Trends Interactive Tool to create graphs and tables for other NSW local government areas.

Can anyone believe anything Australian Human Services Minister Alan Tudge and his motley crew say?

The New Daily,  21 November 2017:

The Department of Human Services flagged the illegal sale of Medicare details on the dark web almost a fortnight before the illicit trade was exposed in a bombshell media report, The New Daily can exclusively reveal.

Internal emails, obtained under freedom of information laws, reveal that department officials discussed the security issue as early as June 22 – nearly two weeks before revelations that Medicare numbers were being sold online.

On July 4, The Guardian revealed that a dark web vendor was advertising the sale of any Australian’s Medicare number for the bitcoin equivalent of just $22 after exploiting a government system vulnerability.

In the wake of the revelations, Human Services Minister Alan Tudge said that he and his department had only learned of the illicit trade when contacted by a Guardian journalist on July 3.

However, high-priority correspondence within DHS shows that senior officials discussed the trade on the dark net, which is only accessible through a customised browser, nearly two weeks before it made the news.

On June 22, Rhonda Morris, national manager for serious non-compliance, raised the issue with Kate Buggy, national manager for internal fraud control and investigations, and Mark Withnell, general manager of business integrity, as well as several unnamed officials.

In a later email on July 3, Mr Withnell apparently connected The Guardian’s inquiries to the department’s earlier discussions on the issue, writing to colleagues: “This is the one I was mentioning last week.”

It is unclear exactly what DHS knew about the sale of Medicare details on the dark web prior to July’s media report.

Citing exemptions related to law enforcement and criminal investigations, the department redacted most of the content of the emails released to The New Daily.

It refused to release numerous other related emails entirely.

A DHS spokesman denied the department had knowledge of a specific breach in June and said its internal discussions had only related to general matters……

In September, DHS told the Senate that as many as 165 people may have had their Medicare numbers sold to unknown parties, although there had been no unauthorised access of any Australian’s health records.

Last month, a seperate review commissioned by the department recommended beefing up the authentication procedures required to access the online database used by healthcare professionals.

Although the AFP is continuing to investigate the source of the breach, the government has said it was likely the result of “traditional criminal activity” rather than a cyber attack.

In February, DHS was embroiled in controversy after it released the personal information of a Centrelink recipient to a journalist in order to diffuse claims she made in the media.

So troubled multinational Serco's staff are going to answer phone calls made to Centrelink in a Turnbull Government pilot program?

Multinational Serco Group plc registered in England and Wales, with revenue in 2016 of an est. $5 billion and an underlying trading profit of est. $139 million, has made the news again.

One of its subsidiaries, SERCO CITIZEN SERVICES PTY LTD¹ ABN:89 062 943 640, won this $53.75 million federal government contract commencing 7 September 2017:

CN ID: CN3460117

Agency: Department of Human Services

Publish Date: 11-Oct-2017

Category: Temporary personnel services

Contract Period:

7-Sep-2017 to 29-Oct-2019

Contract Value (AUD): $53,752,454.80

Description: Centrelink Call Centre Enhancements Initiative

On 11 October 2017 it was reported that the Minister for Human Services Alan Tudge stated this contract was for a pilot commencing in late October 2017 would help reduce Centrelink call wait times.

An est. 250 Melbourne-based Serco staff will take calls about welfare payments in the three-year pilot program.

The minister’s office stated: "Under the partnership arrangement, Serco's staff will be fully trained and will comply with all Commonwealth government privacy and security requirements".

Of course Serco will comply, Minister.

Just as it has on every single contract in the past......

Stolen Laptop Exposes Personal Data on 207,000 Army Reservists. Serco held the data on reservists as part of its contract with the U.S. Army’s Family and Morale, Welfare and Recreation division. As a result, Dahms said, some of the data on the missing laptop may belong to dependents and spouses of U.S. Army reservists, 13 May 2010

Serco's paper trailer raises accountability questions. Crikey has taken a closer look at the extent that Serco contracts outsources to other companies and can reveal that millions of dollars from the detention contract has ended up in some startling places, 1 November 2010

Serco employee suspected of Victoria Police breach. Man accused of adjusting 67,541 traffic infringement records, 15 April 2011

Contract breaches by the operator of Australia's detention centres are incurring 'unsustainable' fines, 13 July May 2011

Serco operates and maintains a surprisingly large and diverse range of services in both the UK and Australia, as well as in several other countries. Its website lists some examples of the scale of its operations including: traffic management systems covering more than 17,500kms of roads worldwide, managing 192,000 square miles of airspace in five countries, managing education authorities on behalf of local governments, and providing defence support services worldwide.[2] Serco also manages a number of hospitals, prisons and detention centres, and is involved in a host of other services.[3]…..Focussing on the company Serco, there have been numerous reports of instances where its service provision has been sub-standard, high-cost, has eliminated diversity, or has lacked accountability. Putting this focus on Serco’s faults is not to say that it is any more prone to failures than other corporations in this area, or that it is always unsuccessful in its service provision. Rather, the point is to show clearly the dangers of privatisation, and why it must not be accepted as a universal good, 7 March 2012

Computer security breach at Serco affects 123,000 Thrift Savings Plan participants, 25 May 2012

Gaol escapes blamed on Serco Pacific cost cutting on $1.8 billion Australian government contract, 29 May 2013

Sexual abuse allegations corroborated at Yarl's Wood immigration centre run by Serco, 22 September 2013

Sources in the justice system blamed the foul-up on staffing issues at Serco. One said: "This sort of thing happens every week." The seven-year PECS deal has turned into a horror show for Serco. It faces allegations that it doctored transfer records to flatter its performance, with five Serco staff under investigation by the City of London police. That is not its only problem contract. There are separate claims that, along with rival outsourcer G4S, it overcharged taxpayers on a deal to put electronic tags on criminals, 17 October 2013

Private contractors Serco has agreed to repay £68.5million to the taxpayer after over-charging for tagging criminals. The firm was investigated by the Ministry of Justice over claims that together with rival company G4S it over-charged for tens of thousands of criminals, including those who had left the country, been returned to prison or even died, 19 December 2013

Outsourcing giant Serco is embroiled in a fresh misuse of public funds scandal after a company it set up overcharged NHS hospitals millions of pounds, 27 August 2014

Serco is failing, but is kept afloat thanks to Australia's refugee policy. It’s a sign of the times that a company like Serco, with murky financial statements masking its true economic shape, is continually rewarded for failure by new and larger contracts, 11 November 2014

Serco turned 'blind eye' to corruption in UK immigration jail, court hears, 26 February 2015

Serco has brought a culture of profiteering, bullying, intimidation and corruption to Mt Eden prison, a Whangarei barrister says.The comments come as controversy surrounds the private company that operates the prison, and with Corrections boss Ray Smith revealing a third incident at the facility has left him no choice but to seek legal advice in regards to the contract, 24 July 2015

On Monday, Serco was fined $NZ500,000 ($A328,750) and was prohibited from overseeing operations at the correctional facility while an internal investigation took place. The fine came after six disturbing videos — shot on a smartphone and smuggled inside the prison — surfaced on YouTube earlier this month. The videos showed prisoners participating in organised ‘fight clubs’ as large groups of fellow inmates watch on. Inmates were also seen blatantly smoking and drinking alcohol in the videos, which were captured without the knowledge of staff. However, the NZ prison officers union said bosses knew about the fight club for up to 18 months, but did nothing about it, 29 July 2015

A GUARD at the Wickham Point Detention Centre in Darwin has been fired after it was found he was trying to coerce female detainees into having sex with him. Serco, the company contracted to run Australia’s immigration facilities, said in a statement to the NT News that a detainee services officer from Wickham Point was dismissed in late May following two separate complaints from female detainees, 6 August 2015

Fiona Stanley Hospital: dirty theatres, IT woes blamed on Serco, 23 September 2015

A Serco guard at a Melbourne immigration centre has been sacked following allegations he made inappropriate sexual advances towards a female detainee and sexually harassed female guards while on duty, 12 February 2016

High levels of violence and poor conditions in Serco-run UK prison, 9 March 2016

Corruption allegations at a Secro managed prison, 2 June 2016

The scandal of refugees housed in 'slum conditions' in Scotland by Serco sub-contractor, 12 June 2016

Serco shares slide as investor concerns mount over turnround. Revenues and profits fall after hit from lossmaking and terminated contracts, 23 February 2017

Serco officer fired for supplying drugs to Christmas Island detainees,18 July 2017

Serco targets further cost cutting as it seeks to keep its profits on track. Serco boss Rupert Soames has said the company still has costs to cut before it is trading at full strength, as the firm enters the middle stage of its five-year turnaround plan. He said that there were plans to further reduce overheads and make Serco’s processes more efficient, as well as bringing down some of its IT costs. “We’ve still got a lot of costs that we have to get out of the business,” he said, 3 August 2017.

Serco lost the Prisoner Transport contract, its contract to run Wandoo Prison won't be renewed in 2018 and prison will return to public hands, 27 August 2017

Clarence Valley residents may recall that Serco is part of a three-corporation consortium building the new $1.5 billion Grafton gaol.

Footnotes

1. Serco provides care and welfare services, on behalf of the Department of Immigration and Border Protection, to people living in Australian onshore immigration centres whilst their visa status is resolved. Since 2009, more than 61,000 individuals have been in our care, representing more than 20 different cultural and linguistically diverse communities. Within the Australian justice system, Serco operates three prisons: the Southern Queensland Correctional Centre (Queensland) with 400 beds, Acacia Prison (Western Australia) with 1400 beds and the Wandoo Reintegration Facility (Western Australia) with 80 beds.

See http://www.serco-ap.com.au/media/206689/serco_socialcare_4pp_a4brochure_may17_final.pdf

Would you trust these men with your personal health information?

The darknet vendor says they are “exploiting a vulnerability which has a much more solid foundation which means not only will it be a lot faster and easier for myself, but it will be here to stay. I hope, lol.” [The Guardian, 4 July 2017]

Left to Right: Minister for Human Services and Liberal MP for Aston, Alan Tudge

& Minister for Health and Liberal MP for Flinders, Greg Hunt

These two federal politicians have portfolio responsibility for some of the largest government databases in Australia.

One has portfolio responsibility for those sensitive e-health records which are due to be rolled out nationally on an opt-out basis by 2020.

This is how secure your personal information is on their watch…….

The Sydney Morning Herald, 4 July 2017:

The Australian Federal Police is investigating reports Australians' personal Medicare details are being accessed and sold on the dark web, an apparent breach that has been labelled an "internet catastrophe".

According to a Guardian Australia report, an online vendor can pull up the full Medicare card details of any Australian on request — and is selling them for around $30 each — indicating a security hole somewhere in the health system.

Human Services Minister Alan Tudge said the government was taking the matter seriously. 

The sales are reportedly listed on an undisclosed dark web marketplace, in which the vendor claims to be "exploiting a vulnerability" in order to run software that pulls the data. The vendor calls it "the Medicare Machine".

"Leave the first and last name, and DOB of any Australian citizen, and you will receive their Medicare patient details in full", the listing says, adding that the nature of the security hole being utilised means the vendor will be "here to stay".

In a statement, Mr Tudge said any authorised access to Medicare card numbers was "of great concern" and his department was also conducting its own investigation. 

Medicare's database was always a honeypot waiting to be exploited once governments embraced data matching, data retention and data sharing with much enthusiasm but little understanding.

Once someone decides they want your Medicare details ID theft is now just 0.0089 bitcoin away - as is your abusive former spouse/partner or that anonymous stalker or Internet troll that has been making your life a misery.

UPDATE

Anthony Baxter, 4 July 2017:

You supply the person with name, date of birth and gender and around $30 of Bitcoin they'll give you the person's Medicare number. This is pretty bad, as it allows idemtity thieves to forge them - a Medicare card is usually worth 25 points on the standard 100 point ID check here. The AU govt had no idea this was happening until the journo from The Guardian let them know.

It turns out there's a portal that any health care provider can use to look up Medicare numbers this way. In case you've lost your card or whatever. Likely it's someone who works for one of them selling access, or someone's popped a PC there (more on that to come).

When asked, the relevant government minister (the same guy who presided over the Census fuckup last year (update: I misremembered, that was a different clown), the accidental publishing of PBS data that was poorly deidentified and the ongoing Centrelink robodebt nightmare) claimed it's OK because you can't get access to someone's medical records through the shiny new online electronic health records system with just a Medicare number. Aside from ignoring the ID theft issue there's a liiiiiittle bit of an issue here.

Guess what information you need along with the Medicare number to pull someone's medical records? Did you guess "name, date of birth and gender"? Collect your prize.

According to https://www.itnews.com.au/news/govt-blames-medicare-card-breach-on-traditional-crims-467502 the folks who did the Privacy Impact Assessment on the electronic health records system were told it would be secure because you needed Medicare number as well as name/DOB/gender and weren't told you could use the latter to look up the former.

It Gets Worse.

In theory you can only look up this stuff from a secure endpoint, with a client side certificate installed. Which in practice means maybe 20K PCs scattered across every doctors office in the country. Worse still, many of these client certs were originally sent out via unencrypted email, and a nontrivial number were "lost". And you reckon all or even a significant fraction of these 20K boxes are running modern Windows with up to date patches? Me neither. I can't count the number of times I've been left alone in a room with an unlocked doctor's PC while he went to check something.

It (Incredibly) Gets Even Worse.

They have a Two Factor Auth system which doctors are supposed to use. One of the ways to get the 2FA key is, and I wish I was joking here, email.

So get access to a box running some XP/Win7 version that's ludicrously unpatched that's also logged into the doctors email, collect health care records. Australian government cannot computer.

At the moment the electronic health records thing is opt-in, at some point next year they'll be moving to an opt-out scheme with a window to opt-out. There's an email form here https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/content/home where you can sign up to be notified when the window to opt the hell out is opened and I urge everyone to do so ASAP.

UPDATE

The Sydney Morning Herald, 5 July 2017:

The federal government was warned more than three years ago of security deficiencies surrounding personal Medicare data, with the Department of Human Services told it was not fully complying with spy agency rules.

Questioning the department's ability to keep the data safe from "security threats from external and internal sources", the government auditor made a series of recommendations in April 2014 but it is unclear if they were fully implemented.

Can the CSIRO sink any lower?

“Collaborating with government. As a trusted adviser to government, our collaboration within the sector supports it to solve challenges, find efficiencies and innovate.” [CSIRO, Data61]

The Commonwealth Scientific and Industrial Research Organisation (CSIRO) is a federal government corporate entity ultimately responsible to the Australian Parliament.

It started life in the midst of global conflagration in 1916 and for most of its existence it was widely respected both in its country of origin and around the world.

Sadly that level of respect has been diminished in recent years as commercial imperatives saw it move away from its once proud boast that:

The integrity of our science is underpinned by commitment to our values, adherence to our policies and maintaining the highest standards of practice.

However, it had not yet become a low creature of right-wing political ideology.

Until now – when it appears willing to participate in enforcing punitive social policies, cynically presented in the guise of Budget measures by the Turnbull Coalition Government.

In particular, enabling the trial drug testing of income support applicants “based on a data-driven profiling tool developed for the trial to identify relevant characteristics that indicate a higher risk of substance abuse issues” which almost inevitably will target the poor and vulnerable.

Apparently the only matter holding the CSIRO back from full commitment to the trial is the matter of contract negotiations with the Dept. Of Social Security and/or Dept. of Human Services¹.

The cost of this measure has reportedly been deemed by government to be “commercial-in-confidence”.

InnovationAus, 2 June 2017:

CSIRO has still not officially agreed to allow its Data61 analytics unit to become involved in the government’s highly contentious welfare drug testing program, a Senate estimates hearing has been told.

But the delay appears to be related to difficult contract negotiations – for which the research agency is well known – rather than the objections of staff or management to becoming involved in such a politically-driven program.

The Department of Industry, Innovation and Science and CSIRO appeared at the Senate estimates on Thursday morning.

The shocking concession that CSIRO has been in discussion to work on the drug-test project since April comes despite the organisation having specifically declined to confirm any knowledge of the project for weeks – let alone that it was actively negotiating a contract.

This is despite direct questions being put to CSIRO on multiple occasions for weeks.

The estimates hearing also revealed that Data61 has been called into the controversy plagued Social Services robo-debt project that has mistakenly matched debt to welfare recipients.

CSIRO digital executive director David Williams told shadow industry minister Kim Carr that while CSIRO was approached by the Social Services department about the welfare drug testing scheme in late April – less than a month before its involvement was prematurely announced by Cabinet Minister Christian Porter – it is still yet to officially sign on to the project.

“The Department of Social Services approached CSIRO in early April, wanting to implement a trial involving activity tested income support recipients across a small number of geographical areas,” Mr Williams told senate estimates.

“They asked for Data61’s support in doing the analysis to see whether predictive analytics could help them in that task.”

“Since that time we’ve been talking with the department, and scoped out a statement of work and we’ve looked at how we can implement that work should we sign a contract and proceed. At this moment we’re working through the procedures inside CSIRO.”

FOOTNOTE

1. The CSIRO already has a business relationship with the Australian Department of Human Services (DHS). Commencing in February 2017 the CSIRO and/or CSIRO Data61 conducted a Review of Online Compliance Systems, as well as supplying Specialist Data Science Services and Selection Methodologies Advice to the department. See; https://www.tenders.gov.au.

Have an Optus, Vodaphone or Telstra mobile phone account? Your personal details may be on sale in Mumbai

The Sydney Morning Herald, 16 November 2016:

Corrupt insiders at offshore call centres are offering the private details of Australian customers of Optus, Telstra and Vodafone for sale to anyone prepared to pay.

A Fairfax Media investigation can reveal Mumbai-based security firm AI Solutions is asking between $350 and $1000 in exchange for the private information, but even more if the target is an Australian "VIP, politician, police, [or] celebrity".

AI Solutions is just one of potentially several private companies selling phone records, home addresses and other private details of Australian telecommunication company customers. They in turn have received the information from employees of the call centres used widely by Australian businesses.

Security industry sources said the practice has been long-standing. AI Solutions has told customers it has sold people's personal data for several years.

Optus has called in the federal police to investigate the data breach after it was contacted by Fairfax Media.

Optus, Telstra - which is holding an investor briefing in Sydney on Thursday - and Vodafone have stressed they are aware of the problem and have invested heavily in security procedures to counter it.

The revelation underscores the risks facing Australian consumers and businesses as a vast amount of personal or private data is collected and often stored offshore by service providers, financial institutions and government agencies.

It also raises fresh concerns about risks faced in using offshore call centres, where it may be more difficult to ensure data security.

AI Solutions actively markets its services to prospective Australian clients via an Indian businessman who uses the name Imran Khan. It is unclear if this is a false name.

But Fairfax Media has confirmed that AI Solutions has previously, and on numerous occasions, sold Australians' personal data to third parties.

It recently wrote to a Melbourne corporate intelligence and security company, boasting that it has a "long list" of Australian clients buying data from the offshore call centres.

"There are … 3 major telecom numbers details I can provide you. Telstra, Vodafone and Optus," the Indian company's representative wrote in a text message to a prospective client seen by Fairfax Media.

The company charges $350 to provide a person's home address and charges $1000 for a "full extract". This includes a person's home address, date of birth, alternative phone numbers and "more than 1 years billing statements" and "calling data history".

"And for VIP, politician, police, celebrity, charges are different," one message said.

While the data being illegally sold will not contain the actual content of text messages or what has been said during phone calls, it does contain information about who a person has called, the location at which a call is made and other sensitive data and metadata.

This information could be of use to companies engaged in corporate spying or intelligence gathering, private investigators, marketing firms and organised criminals seeking to engage in identity fraud, or to locate people. It is possible that foreign intelligence services could also use the data theft service.

The Indian firm requests payment via Western Union or Money Gram remittance services……

The Australian Federal Police said it had spoken with Optus and Vodafone and had subsequently provided information to Indian authorities.

Office of the Australian Information Commissioner, media release, 17 November 2016:

Statement by the Australian Information and Privacy Commissioner, Timothy Pilgrim, on personal information of Australian telecommunication customers

17 November 2016

I am concerned about allegations that personal information of Australian telecommunication customers is being offered for sale online. My office is making enquiries with Optus, Telstra and Vodafone to determine what further action I may take in this matter.

These allegations, and the community response they have generated, are a reminder that Australian customers expect businesses to handle their personal information in line with Australian law no matter where they operate. 

If anyone has privacy concerns about this incident they can contact my office on 1300 363 992 or enquiries@oaic.gov.au.