Autofill error leads to disclosure of world leaders' personal data
Be careful what you autofill.
Personal details of world leaders at last November鈥檚 G20 Summit in Brisbane were accidentally sent to organizers of the Asian Cup football tournament by the Australian immigration department through the use of Outlook's autofill function, .
While the leak was inadvertent and deemed ultimately low-risk, the breach highlights data security concerns that have become a global issue as businesses, educational institutions, and other organizations proved vulnerable over the last few years to both cyber attacks and accidental personal data disclosures 鈥 some of which could have been easily prevented.
The G20 breach involved information on 31 international leaders, including United States president Barack Obama, Russian president Vladimir Putin, German chancellor Angela Merkel, Chinese president Xi Jinping, Indian prime minister Narendra Modi, Japanese prime minister Shinzo Abe, and British prime minister David Cameron, according to The Guardian.
Names, dates of birth, titles, passport numbers, and visa grant numbers were among the data disclosed after an immigration employee 鈥渇ailed to check that the autofill function in Microsoft Outlook had entered the correct person鈥檚 details into the email 鈥楾o鈥 field,鈥 an officer in Australia鈥檚 Department of Immigration and Border Protection wrote , dated Nov.7, 2014, to the office of the nation鈥檚 privacy commissioner.
鈥淭he cause of the breach was human error,鈥 according to the letter.
Security researchers have warned of the potential dangers of autofill, a setting that lets a browser or app use stored data to automatically fill out forms, because when combined with the human tendency to err, the consequences of such convenience can range from embarrassing to dire.
In 2012, The Boston Globe鈥檚 Peter Post for missending an email that contained disparaging comments about her boss鈥o her boss. Two years earlier, a UK police officer containing thousands of confidential criminal records checks to a local journalist, whose email had been saved after it was used to submit previous Freedom of Information requests.
The use of autofill can also make certain stored information vulnerable to attack, . Google warns users: 鈥淚t's important that you use Autofill only on websites you trust, as certain websites might try to capture your information in hidden or hard-to-see fields.鈥
鈥淎utoFill is a feature that requires exchanging some security and privacy in favor of convenience,鈥 tech analyst Tony Bradley .
A quick way to avoid potential trouble is to disable the feature on browsers: has it under the 鈥淧asswords and forms鈥 in its advanced settings options, while has it in its 鈥淧rivacy鈥 panel.
There are also middle-ground options: iPad and iPhone users, for instance, to contact information while disabling the use of names and passwords.
The best advice is, however, is to exercise care and good judgment.
鈥淚 am not suggesting that everyone abandon AutoFill and go back to tediously typing in the same information every time the need arises,鈥 Mr. Bradley wrote. 鈥淚 am, however, advocating that IT admins and users in general understand that the same features that provide convenience for the user also make it more convenient for an attacker to breach or compromise the data stored there.鈥
A related but separate issue that the Australian immigration department is facing in the G20 leak is its decision not to disclose the breach to the world leaders involved, reasoning that the unauthorized recipient had immediately deleted the message and emptied his deleted items folder, and that 鈥渢he risks of the breach are considered very low.鈥
The decision has led opposition leaders to call for an explanation from government officials, especially as take center stage in Australia.
鈥淥nly last week the government was calling on the Australian people to trust them with their online data,鈥 one senator told The Guardian, 鈥渁nd now we find out they have disclosed the details of our world leaders.鈥
