C0636 - refugees | PoliticalClaims.au

Verdict

True

Credibility Rating 7.0/10

Rating Rationale

The claim is factually accurate regarding the breach details, the lack of password protection, the insecure storage, and the failure to notify affected individuals. The deduction reflects that: (1) the claim implies deliberate concealment without proving intent, (2) it omits the complex contractor-operated environment on Nauru, and (3) it doesn't distinguish this physical theft from the separate February 2014 online data breach. The underlying issue was systemic data security failures across the immigration detention system, not solely the actions of the Immigration Minister's office.

Refugees

Date Analyzed Not specified

Reading time ~3 mins

Evidence Count 🔗 6 sources

Want to cite this?

Use our unique ID when referencing this fact-check in public discourse. C0636

C0636

The Claim

“Chose not to tell asylum seekers that sensitive information about their asylum claims, mental health problems and more was stolen again. The data was left on a hard-drive without password protection, outside of the lockable store-rooms.”

Refugees

Original Source: Matthew Davis

Original Sources Provided

mdavis.xyz

Documentation of Coalition government policies and claims.

Matthew Davis

✅ FACTUAL VERIFICATION

The claim refers to a second data breach that occurred in 2014, separate from the more widely reported February 2014 incident where ~10,000 asylum seeker details were inadvertently published online [1].

Key facts about this second breach:

In April and May 2014, at least two external hard drives containing sensitive asylum seeker information were stolen from the Nauru Immigration Detention Centre [2][3]. The stolen hard drives:

Were not password-protected [2][3]
Contained personal details, case files, medical histories, and protection claims for hundreds of asylum seekers, including children [2]
Included mental health and behavioral issue records, complaints about treatment, allegations of abuse, and minutes of "vulnerable minors meetings" [2]
Were reportedly kept in an unlockable office accessible to any staff member at the Nauru centre [3]

The first hard drive was stolen from an office tent in April 2014. Internal correspondence noted: "Obviously this is concerning for several reasons. It contains documents with clients' personal details... it highlights how unsecure the office tents are" [2]. A second hard drive containing child protection information was stolen less than a month later [2].

Regarding notification:

Guardian Australia reported in October 2014 that "the asylum seekers have not been told their personal information has been stolen" [2]. This was confirmed by multiple sources at the time. The breach had occurred months earlier (April-May 2014) without notification to affected individuals.

Missing Context

The operating environment on Nauru:

The hard drives were stolen from the Nauru Immigration Detention Centre, which was operated by contractors including Save the Children and Wilson Security, not directly by Immigration Department staff [2]. The centre had documented security challenges including:

Equipment stored in "office tents" with limited physical security
No secure storage for keys to storerooms and shipping containers
Previous thefts of mobile phones, hard disks, laptops, and fans from locked cabinets [2]

Distinction from the February breach:

This second breach (theft of physical hard drives) was different from the February 2014 breach where the department inadvertently published data online. The February breach affected ~10,000 people and resulted in an official Privacy Commissioner investigation that found the department had breached the Privacy Act [1][4].

Response actions:

After the February breach, the department did take remediation steps including:

Engaging KPMG for a management review [4]
Removing personal information from underlying datasets before publication
Rolling out staff training and awareness campaigns [4]
Committing to engage an independent auditor [4]

However, these measures did not prevent the separate physical theft incident on Nauru.

Source Credibility Assessment

The original source is The Guardian Australia (October 17, 2014), a mainstream media outlet with a generally strong reputation for factual reporting. The article was written by Ben Doherty, a respected journalist covering immigration and asylum seeker issues. The claims in the article were based on:

Internal correspondence obtained by the publication
Direct statements from involved parties (Save the Children, Wilson Security)
Legal experts (David Manne from Refugee and Immigration Legal Centre)

The Guardian's reporting on this matter was consistent with subsequent reporting by other outlets including SBS News [3]. The Privacy Commissioner's official investigation [4] confirmed the systemic issues with data security in the Department of Immigration and Border Protection during this period.

Verdict on source credibility: The Guardian is a credible mainstream source. The specific claims in this article align with documented facts and were not disputed by the government or contractors at the time.

⚖️

Labor Comparison

Did Labor do something similar?

Search conducted: "Labor government immigration data breach asylum seekers 2007-2013"

Finding: No direct equivalent data breach involving asylum seekers was found during the Labor government period (2007-2013).

However, data security issues are a systemic challenge across Australian government departments regardless of which party is in power:

The Privacy Commissioner's investigation into the February 2014 breach noted that the department had "policies [that] implied that it was aware of the risk of embedded personal information" but these were not effectively implemented [4]. These systemic issues predate the Coalition government.
The offshore detention policy on Nauru was initiated under the Labor government (reopened in 2012), though the specific data security failures occurred during Coalition management of the facility [5].
Various Australian government departments under both Labor and Coalition governments have experienced data security incidents, suggesting this is a systemic issue rather than unique to one party.

Comparative conclusion: While there is no direct "Labor equivalent" of this specific data breach, the underlying conditions (offshore detention infrastructure, complex contractor arrangements) were established under Labor and continued under the Coalition.

🌐

Balanced Perspective

What the claim gets right:

Asylum seekers were indeed not notified that their personal information had been stolen [2]
The hard drives were not password-protected [2][3]
They were stored in an unlockable office environment [3]
The information included highly sensitive material (mental health records, abuse allegations, protection claims) [2]

Important context the claim omits:

The theft occurred at a remote offshore facility (Nauru) operated by contractors, not in a controlled departmental office
Physical security challenges in the Nauru detention centre were significant and known - including theft of other equipment from locked cabinets [2]
The government had taken steps to improve data security after the February 2014 breach, though these didn't address the physical security issues on Nauru
The hard drives belonged to Save the Children (a contractor), which conducted its own internal investigation [2]

Why notification may not have occurred:
While the claim implies deliberate concealment, the reasons for non-notification were not fully explained by the government. Possible explanations include:

Ongoing investigations (Save the Children internal review, Philip Moss independent review of Nauru conditions) [2]
Uncertainty about what data was actually compromised
Concerns about alarming detainees in an already volatile environment

However, the failure to notify is a serious breach of privacy best practice, and the Privacy Commissioner later (2021) ordered the department to pay compensation to victims of the separate February 2014 breach, finding that "a loss of privacy or disclosure of personal information may impact individuals" [6].

TRUE

7.0

out of 10

The core facts of the claim are verified: (1) asylum seekers were not informed their data had been stolen, (2) the data included sensitive information including mental health records and protection claims, (3) the hard drives were not password-protected, and (4) they were stored outside lockable store-rooms in an unlockable office. These facts were reported at the time by credible media and were not disputed.

However, the claim implies the government actively "chose" not to tell asylum seekers, suggesting deliberate concealment. While technically accurate that they were not told, the reasons for non-notification were never fully explained. The passive voice ("chose not to tell") implies more agency than documented evidence confirms. Nonetheless, the factual elements of the claim are correct.

Final Score

7.0

OUT OF 10

TRUE

📚 SOURCES & CITATIONS (6)

Rating Scale Methodology

1-3: FALSE

Factually incorrect or malicious fabrication.

4-6: PARTIAL

Some truth but context is missing or skewed.

7-9: MOSTLY TRUE

Minor technicalities or phrasing issues.

10: ACCURATE

Perfectly verified and contextually fair.

Methodology: Ratings are determined through cross-referencing official government records, independent fact-checking organizations, and primary source documents.

PoliticalClaims.au

The Claim

Original Sources Provided

mdavis.xyz

✅ FACTUAL VERIFICATION

Missing Context

Source Credibility Assessment

Labor Comparison

Balanced Perspective

TRUE

TRUE

📚 SOURCES & CITATIONS (6)

Department of Immigration and Border Protection: own motion investigation report

Asylum seekers' personal details stolen in second immigration data breach

Immigration Department breached Privacy Act, Commissioner says

Asylum data breach: immigration unlawfully disclosed personal details

Back to the Future: Australian Border Policing Under Labor, 2007-2013

Home Affairs ordered to pay compensation after breaching the privacy of almost 10,000 asylum seekers

Rating Scale Methodology

Navigate Between Claims