Vulnerable Australian Kids Impacted by Data Breach

Cyber Security News

A former caseworker in Australia who was investigated over an alleged child sexual abuse offense accessed the sensitive data of vulnerable children for a year after leaving their job.

The caseworker had been contracted by Victoria’s Department of Health and Human Services (DHHS) between April 2016 and September 2017 to work for a government program that aims to stop young people entering out-of-home care.

An OVIC (Office of the Victorian Information Commissioner) report found that while employed by the DHSS, the caseworker had access to a government computer system called CRISSP, which stores and manages files related to disability, family, and youth support services.

The worker’s access privileges to CRISSP, which should have been revoked when they left the role, were not abrogated until October 2018, when the Department of Justice and Regulation identified that the worker had used CRISSP to view information about former and current clients.

CRISSP access logs revealed that the worker had accessed the information system without authorization 260 times between September 2017 and October 2018 and performed 150 searches. Among the information accessed by the worker was the personal details of 27 individuals.

The OVIC investigation found that both DHHS and the contracted service provider who had employed the former caseworker were in contravention of information privacy principles.

“Information gathered to protect children simply cannot be allowed to endanger them—to allow this to happen is not only a breach of privacy, but an unacceptable breach of trust,” said Victoria’s commissioner for children and young people, Liana Buchanan.

After leaving the DHSS, the former caseworker started a new job as a live-in mentor for a different youth services provider. However, that role was terminated in February 2018 when police shared “serious concerns” over the individual’s access to “vulnerable and at-risk children” with the DHHS.

The OVIC report stated: “Victoria Police told DHHS that [the worker]’s work laptop had been handed into a police station and, while trying to locate the owner, officers had discovered child pornography on the laptop.”

Police were unable to prove that the former caseworker was linked to the child sexual abuse material as the laptop had multiple user profiles.