The Claim
“Accidentally published personal details about almost 10,000 asylum seekers and their claims. Regardless of whether the original asylum claims were genuine, if those asylum seekers are returned to their country of origin, they and their family may be imprisoned, tortured or killed because governments and militias in their country of origin will know they sought asylum. After discovering the blunder, the government took 13 days to remove the information from public view. As part of a press release about the accidental leak the government made public further information about where to find the still life threatening document.”
Original Sources Provided
✅ FACTUAL VERIFICATION
The core facts are largely accurate.
On 21 February 2014, the Australian Information Commissioner opened an investigation after media reports revealed that the Department of Immigration and Border Protection (DIBP) had published personal information of approximately 9,528 asylum seekers on its website [1]. The information was contained in a Microsoft Excel spreadsheet embedded within a Microsoft Word version of a routine "Immigration Detention and Community Statistics Summary" dated 31 January 2014 [2].
The Privacy Commissioner's investigation, released in November 2014, found the department breached two privacy principles: unlawful disclosure of personal information and failure to have reasonable safeguards in place [3]. The report confirmed:
- The data included personal details of almost 10,000 asylum seekers (9,528 confirmed, with over 2,500 being children) [4]
- The information was accessible online and was accessed over 100 times from IP addresses in 16 countries including China, Russia, Egypt, Pakistan and Malaysia [5]
- The department took 13 days to request removal of cached copies from the Internet Archive after being notified by Guardian Australia, leaving data publicly exposed for 16 days total [3]
- Minister Scott Morrison and department secretary Martin Bowles disclosed the location of the file in a press release after the breach was reported—information that Guardian Australia had deliberately withheld to limit harm [3]
The Information Commissioner officially found the disclosure was "unlawful" under the Privacy Act [1][3]. The government was eventually ordered to compensate affected asylum seekers in a 2020 determination, marking the first time in Australian history that victims of a mass government data breach received compensation for non-economic loss [6].
Missing Context
The claim omits several important contextual factors:
1. Nature of the breach: The data exposure was accidental, not intentional. It resulted from a publishing error where an Excel spreadsheet containing personal information was embedded in a publicly released statistical report, not a deliberate leak or hack [1][3].
2. Departmental response: After the breach was discovered, the department did take containment steps including removing the file, engaging KPMG for a review, and attempting to remove the file from public search engines [3]. The OAIC noted these steps but found execution could have been improved [3].
3. Training and policy deficiencies: The Privacy Commissioner found the department had policies that "implied awareness of the risk of embedded personal information" but these had "lack of detail" and staff were not adequately trained in online publishing procedures [3].
4. Timeline of minister's statements: The claim about Morrison "making public further information about where to find the still life threatening document" requires context. Morrison stated on 19 February 2014 that he had been advised "all possible channels to access this information are closed"—but the file remained available on the Internet Archive for almost two weeks after this statement [3].
5. Systemic issue, not unique: The claim frames this as a specific Coalition failure without acknowledging that government data breaches occur across administrations and departments.
Source Credibility Assessment
The original sources are a mix of mainstream and advocacy sources:
The Guardian Australia: Mainstream news outlet, generally credible, was the outlet that originally broke the story [3]. The reporting includes direct quotes from official investigations.
SBS News: Australian public broadcaster, credible mainstream source [original source 1].
Crikey: Independent news site with a reputation for critical reporting, generally factual but can have an adversarial stance toward government [original source 2].
New Matilda: Left-leaning independent media outlet, advocacy-oriented journalism. Should be read with awareness of political perspective [original source 4].
ZDNet: Technology-focused mainstream publication, credible for tech/privacy reporting [original source 6].
Overall, the core facts are supported by the official Privacy Commissioner investigation report, which is the most authoritative source [1][3].
Labor Comparison
Did Labor have similar data breaches?
Search conducted: "Labor government data breach privacy incidents Australia"
Finding: The 2014 asylum seeker data breach occurred under the Abbott Coalition government. During the Rudd/Gillard Labor governments (2007-2013), there were various data security incidents, though none of comparable scale affecting asylum seekers specifically became publicly prominent.
Government data breaches are a systemic, non-partisan issue:
The Notifiable Data Breaches (NDB) scheme, established in 2018, reports over 1,100 data breaches annually across all sectors [7]. Government agencies consistently feature in these statistics regardless of which party is in power.
In 2017, the Australian Bureau of Statistics faced significant criticism over the 2016 Census data collection and security concerns, though this was not a breach of published data [no direct equivalent found].
Various departments across both Labor and Coalition administrations have faced privacy and data security challenges. The 2014 DIBP breach is notable primarily for its scale and the vulnerability of the affected population (asylum seekers)."
Key distinction: While data breaches occur under governments of all stripes, the specific circumstances here—affecting a vulnerable population with potential life-threatening consequences if returned to home countries—make this breach particularly serious. The scale (nearly 10,000 individuals) and international accessibility (downloads from 16 countries including hostile nations) were exceptional factors [5].
Balanced Perspective
While the facts are largely accurate, the claim's framing warrants scrutiny:
Critics' position: The breach represented a catastrophic failure of data security affecting vulnerable asylum seekers. The 13-day delay in removing cached copies and the minister's public disclosure of file location compounded the harm. Asylum seekers subsequently argued in court that exposure of their details put them at risk of persecution if returned home [3][8].
Official findings: The Privacy Commissioner concluded the department breached privacy law, had inadequate policies, and staff lacked proper training. The commissioner noted deficiencies in policies, procedures, and training "failed to adequately mitigate against the risk of a data breach" [3].
Government perspective: The breach was accidental, and the department took steps to contain it including removal, KPMG review, and search engine delisting attempts. The minister's statement that "all possible channels" were closed appears to have been based on departmental advice that was incorrect regarding the Internet Archive caching [3].
Comparative context: This breach is frequently cited as one of Australia's most serious government data breaches due to the vulnerability of affected individuals and international accessibility. While data breaches occur across all governments, the specific risk profile (asylum seekers facing persecution) makes this case distinct. The subsequent 2020 OAIC compensation order was unprecedented for a government data breach [6].
Key context: This breach is not typical of government data handling, but it also was not the result of deliberate malfeasance. It resulted from systemic deficiencies in training, procedures, and oversight that the OAIC found should have been addressed given the known risks of publishing sensitive information.
TRUE
7.0
out of 10
The core factual claims are accurate and confirmed by the Privacy Commissioner's official investigation. The department did unlawfully disclose personal details of approximately 9,500-10,000 asylum seekers, the information remained accessible for 13 days after notification (16 days total), and the minister's press release disclosed information about the file location. The data was accessed from multiple countries including some with poor human rights records. The claim accurately reflects findings of the official investigation.
Final Score
7.0
OUT OF 10
TRUE
The core factual claims are accurate and confirmed by the Privacy Commissioner's official investigation. The department did unlawfully disclose personal details of approximately 9,500-10,000 asylum seekers, the information remained accessible for 13 days after notification (16 days total), and the minister's press release disclosed information about the file location. The data was accessed from multiple countries including some with poor human rights records. The claim accurately reflects findings of the official investigation.
📚 SOURCES & CITATIONS (8)
-
1
oaic.gov.au
Investigation into the Department of Immigration and Border Protection after a media report that a database with personal information of about 10,000 asylum seekers was on the Department's website
OAIC -
2
pulse.kwm.com
The Australian Privacy Commissioner has found that the Department of Immigration and Border Protection contravened the Privacy Act when the Department accidentally published the personal details of almost 10,000 asylum seekers in a document that was intended to provide statistical information about the number and status of applications made for refugee status.
King & Wood Mallesons Pulse -
3
theguardian.com
Privacy commissioner finds sensitive data on almost 10,000 asylum seekers was left publicly exposed for 16 days after the breach was reported
the Guardian -
4
pressreader.com
Digital newsstand featuring 7000+ of the world’s most popular newspapers & magazines. Enjoy unlimited reading on up to 5 devices with 7-day free trial.
Digital Newspaper & Magazine Subscriptions -
5
databreaches.net
Paul Farrell and Oliver Laughland report: A file containing the personal details of almost 10,000 people in detention was accessed in 16 countries, including Ch
DataBreaches.Net -
6
lexology.com
For the first time in Australian history, the Office of the Australian Information Commissioner (OAIC) has found victims of a mass data breach should…
Lexology -
7PDF
Notifiable data breaches report July to December 2024
Oaic Gov • PDF Document -
8
sbs.com.au
Asylum seekers who face imminent removal from Australia have lodged a legal challenge to their deportation, saying a security breach by the Department of Immigration means they cannot be returned safely.
SBS News
Rating Scale Methodology
1-3: FALSE
Factually incorrect or malicious fabrication.
4-6: PARTIAL
Some truth but context is missing or skewed.
7-9: MOSTLY TRUE
Minor technicalities or phrasing issues.
10: ACCURATE
Perfectly verified and contextually fair.
Methodology: Ratings are determined through cross-referencing official government records, independent fact-checking organizations, and primary source documents.