Autofill error leads to disclosure of world leaders' personal data

Personal details of world leaders present at November’s G20 Summit, held in Brisbane, were inadvertently leaked to organizers of the Asian Cup by the Australian immigration department, highlighting global security concerns linked to cyber attacks and personal data disclosures.

|
Pablo Martinez Monsivais/Reuters/File
U.S. President Barack Obama gives a thumbs-up to the camera as he and other leaders pose for a group photo at the G20 summit in Brisbane Nov. 15, 2014. Mr. Obama is among 31 leaders present at the summit whose personal details were accidentally disclosed to Asian Cup organizers by an employee of the Australian immigration department.

Be careful what you autofill.

Personal details of world leaders at last November’s G20 Summit in Brisbane were accidentally sent to organizers of the Asian Cup football tournament by the Australian immigration department through the use of Outlook's autofill function, The Guardian reported Monday.

While the leak was inadvertent and deemed ultimately low-risk, the breach highlights data security concerns that have become a global issue as businesses, educational institutions, and other organizations proved vulnerable over the last few years to both cyber attacks and accidental personal data disclosures – some of which could have been easily prevented.

The G20 breach involved information on 31 international leaders, including United States president Barack Obama, Russian president Vladimir Putin, German chancellor Angela Merkel, Chinese president Xi Jinping, Indian prime minister Narendra Modi, Japanese prime minister Shinzo Abe, and British prime minister David Cameron, according to The Guardian.

Names, dates of birth, titles, passport numbers, and visa grant numbers were among the data disclosed after an immigration employee “failed to check that the autofill function in Microsoft Outlook had entered the correct person’s details into the email ‘To’ field,” an officer in Australia’s Department of Immigration and Border Protection wrote in an email, dated Nov.7, 2014, to the office of the nation’s privacy commissioner.

“The cause of the breach was human error,” according to the letter.

Security researchers have warned of the potential dangers of autofill, a setting that lets a browser or app use stored data to automatically fill out forms, because when combined with the human tendency to err, the consequences of such convenience can range from embarrassing to dire.

In 2012, The Boston Globe’s Peter Post blogged about a woman who was fired for missending an email that contained disparaging comments about her boss…to her boss. Two years earlier, a UK police officer sent a file containing thousands of confidential criminal records checks to a local journalist, whose email had been saved after it was used to submit previous Freedom of Information requests.

The use of autofill can also make certain stored information vulnerable to attack, as occurred with the Safari browser in 2010. Google warns users: “It's important that you use Autofill only on websites you trust, as certain websites might try to capture your information in hidden or hard-to-see fields.”

“AutoFill is a feature that requires exchanging some security and privacy in favor of convenience,” tech analyst Tony Bradley wrote for PCWorld in 2010.

A quick way to avoid potential trouble is to disable the feature on browsers: Google Chrome has it under the “Passwords and forms” in its advanced settings options, while Firefox has it in its “Privacy” panel.

There are also middle-ground options: iPad and iPhone users, for instance, can limit autofill to contact information while disabling the use of names and passwords.

The best advice is, however, is to exercise care and good judgment.

“I am not suggesting that everyone abandon AutoFill and go back to tediously typing in the same information every time the need arises,” Mr. Bradley wrote. “I am, however, advocating that IT admins and users in general understand that the same features that provide convenience for the user also make it more convenient for an attacker to breach or compromise the data stored there.”

A related but separate issue that the Australian immigration department is facing in the G20 leak is its decision not to disclose the breach to the world leaders involved, reasoning that the unauthorized recipient had immediately deleted the message and emptied his deleted items folder, and that “the risks of the breach are considered very low.”

The decision has led opposition leaders to call for an explanation from government officials, especially as debates around online security legislation take center stage in Australia.

“Only last week the government was calling on the Australian people to trust them with their online data,” one senator told The Guardian, “and now we find out they have disclosed the details of our world leaders.”

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Autofill error leads to disclosure of world leaders' personal data
Read this article in
https://www.csmonitor.com/World/Global-News/2015/0330/Autofill-error-leads-to-disclosure-of-world-leaders-personal-data
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe