Sixteen (16) current and former members of the Australian Federal Police were assessed to be most at risk following the data breach of law firm HWL Ebsworth in April.
Speaking at a senate estimates hearing last night, the force’s chief operating officer Charlotte Tressler said a total of “67 current and former AFP ‘appointees’ were affected by the breach.
The AFP defines appointees as “a deputy commissioner, an AFP employee, special member or special protective service officer”.
Tressler said that 51 of the people impacted did not experience a “notifiable breach” based on internal AFP definitions.
She said that details such as name, mobile number or email address were leaked to the dark web for these people.
“It wasn’t assessed to be at the threshold of serious harm,” Tressler said.
“But we did have 16 current or former members that did have a notifiable data breach, and we assessed that there would be a potential risk of serious harm to those appointees.”
The AFP’s exposure to the law firm breach was only made public last month, and it declined at the time to detail the extent of its exposure.
Tressler said last night that “the majority of the information” that was breached “was in relation to employment-related matters.”
“Some of the information, for example, included some appointees’ involvement in our professional standards investigations including disclosing at least one complainant’s details, statements from other members obtained under direction from our professional standards area, as well as investigation findings, information regarding legal complaints relating to appointees, as well as information relating to an Australian Human Rights Commission complaint from an appointee as well,” she said.
Tressler confirmed to Liberal Senator James Paterson that the AFP would review its procurement processes and strengthen contractual clauses in the wake of the incident.
“We are looking at a range of matters,” she said.
“In particular, we’re looking at what we’re calling our third-party risk management handbook which is being drafted [and] still going through our clearance processes, but we need to have that in place.
“It will look at roles and responsibilities for key stakeholders, deadlines and timeframes around our procurement processes, ensuring that we’re assessing the risk that’s associated with particular arrangements.
“We’re also refreshing the risk assessment process that we use when contracting with providers and we’ve also, from a legal perspective as well, been strengthening our clauses that get included in our contracts so that we’ve got greater protections.
“[In addition], our IT area is also looking at trialling a tool that will help strengthen these arrangements further.”
Separately, the AFP said a joint investigation with Victoria Police into the HWL Ebsworth incident as a whole remained active.
The incident impacted 65 Australian government entities, as well as private sector organisations.
Acting deputy commissioner Grant Nicholls said the investigation “is progressing, and I’m not uncomfortable with that progression.”
“It’s an ongoing investigation,” he said. “We’re making what I would describe as steady progress.”