Privacy issues in Australia’s SkillSelect platform may have exposed personal information of 700,000 aspiring migrants

Personal details of more than 700,000 migrants and hopeful immigrants to Australia may have been exposed in a data breach concerning the Department of Home Affairs’ SkillSelect platform.

The department asks skilled workers who wish to migrate to the land Down Under to express their interest by creating an online account, making it easier for applicants to be considered for a skilled Australian visa. While the expression of interest (EOI) is not a Visa application, candidates who participate in the skills assessment and meet the mark have higher chances of receiving work visas.

During the application process, the SkillSelect portal asks participants to complete their personal information to create their online account, including:

• given name and family name • date of birth • country of birth • gender • passport and citizenship details • place of residency • relationship status

Once completed, the expression of interest is stored and displayed on the publicly available app for no less than 2 years. While account holders may access their EOI and update the information at any time, users of the app can also view any applicants’ ‘ADUserID’, an individual identifier including a partial name and numbers. While browsing through the app, the research team at Guardian Australia noticed that the database contained 774,326 unique ADUserIDs and 189,426 completed expressions of interest going back as far as 2014.

At first glance, only the birth country, age, qualifications, marital status and the outcome of the application could be reviewed. However, if multiple filters are applied in the search, users could obtain additional details and analyze individual entries of applicants.

Following the discovery, Guardian Australia also informed the Department of Home Affairs, and the SkillsSelect platform was taken offline, “currently undergoing maintenance”.

Privacy advocates quickly latched on to the news, issuing comments regarding the governments’ poor track record in keeping personal information safe.

“If you can use this to pin down a specific person that you’re thinking about and from that understand what they had entered into certain categories, then that is a way to extract information you might not already have known,” said Anna Johnston, the principal of Salinger Privacy.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Alina Bizga. Read the original post at: