G20 World leaders were victims of accidentally privacy breach

The personal details of world leaders have been accidentally revealed by the organisers of the G20 summit, passport numbers and other details belonging to Obama, Xi Jinping, Putin, Merkel, Cameron, Modi and others were revealed.

The accidental privacy data breach occurred at the last G20 summit held in Brisbane in November 2014, the personal information was disclosed by the Australian immigration department, but the organisation did not inform the victims of the incident.

“The Guardian can reveal an employee of the agency inadvertently sent the passport numbers, visa details and other personal identifiers of all world leaders attending the summit to the organisers of the Asian Cup football tournament.” reported the Guardian.

On 7 November 2014, the director of the Visa services division of Australia’s Department of Immigration and Border Protection informed the Australian privacy commissioner of the data breach.

As reported in an email sent to the commissioner’s office, the breach is attributed to an employee who mistakenly emailed a member of the local organising committee of the Asian Cup – held in Australia in January – with the personal information.

“The personal information which has been breached is the name, date of birth, title, position nationality, passport number, visa grant number and visa subclass held relating to 31 international leaders (ie prime ministers, presidents and their equivalents) attending the G20 leaders summit,” the officer wrote.

“The cause of the breach was human error. [Redacted] failed to check that the autofill function in Microsoft Outlook had entered the correct person’s details into the email ‘To’ field. This led to the email being sent to the wrong person.” “The matter was brought to my attention directly by [redacted] immediately after receiving an email from [the recipient] informing them that they had sent the email to the wrong person.” “The risk remains only to the extent of human error, but there was nothing systemic or institutional about the breach.”

The officer explained that the recipient that accidentally has received the message has already deleted the information, for this reason it was “unlikely that the information is in the public domain”, and according to the official the absence of other personal identifiers “limits significantly” the risk of the privacy breach.

“The Asian Cup local organising committee do not believe the email to be accessible, recoverable or stored anywhere else in their systems,” continues the immigration officer. “Given that the risks of the breach are considered very low and the actions that have been taken to limit the further distribution of the email, I do not consider it necessary to notify the clients of the breach,” she wrote.

The above motivation is not sufficient to avoid disclosure of the privacy breach and is not compliant with privacy law in some of their countries, considering that UK, Germany and France have specific laws that make the mandatory data breach notification. The news of the privacy breach comes a week after the mandatory metadata retention becomes law.

In time I’m writing the Australian immigration department hasn’t revealed if it has notified the privacy breach to the victims.

“The prime minister and the immigration minister must explain this serious incident and the decision not to inform those affected,” said the Australia’s deputy opposition leader, Tanya Plibersek

Pierluigi Paganini

(Security Affairs –  G20, privacy breach )