Documents Related to the MyService Security Vulnerability at the Department of Veterans’ Affairs
Dear FOI Officer,
I make this request for access to documents under the Freedom of Information Act 1982 (Cth).
I am seeking access to any documents held by the Department of Veterans’ Affairs that relate to a security vulnerability discovered in the MyService platform between 1 October 2023 and the date your office processes this request. The vulnerability I refer to involves a method by which unauthorised individuals could access veterans’ personal information, including but not limited to initial liability claims, rehabilitation claims, travel claims, and other sensitive data, through the manipulation of certain web address parameters. I am specifically interested in documents that discuss any aspect of this vulnerability, its discovery, investigation, remediation, and any related internal deliberations or notifications.
More specifically, I request documents that address the initial reporting of the vulnerability, such as records of the notification provided to the DVA by the individual who discovered it. I also seek documents detailing any actions taken in response, including technical assessments, internal discussions about the scope of the vulnerability, and any correspondence with service providers such as Services Australia. I request records that describe attempts to identify root causes, as well as any instructions, briefings, meeting minutes, or emails between DVA staff and service providers regarding remediation measures.
I also ask for any documents that relate to the decision-making process about whether and how the DVA complied with its mandatory reporting obligations under the Privacy Act 1988 (Cth) and the Notifiable Data Breaches scheme. This includes records of discussions or correspondence between DVA officials that consider whether the vulnerability constituted an eligible data breach and thus triggered the requirement to notify the Office of the Australian Information Commissioner. Furthermore, I am seeking documents that clarify whether the DVA intended to, attempted to, or decided not to inform the affected veterans whose personal and sensitive information may have been exposed. This includes any drafts or final versions of notifications, risk assessments, legal advice (if disclosable), and any instructions or guidelines that may have guided staff on how to handle such breaches.
If the DVA possesses documents that outline general policies or procedures governing how staff should respond to data breaches or vulnerabilities of this nature, I request access to these materials as well. This may include internal manuals, policy frameworks, standard operating procedures, or incident response plans relied upon by DVA staff when managing the discovered vulnerability.
I request that you provide the documents in electronic form, such as PDF files, unless they are only available in another format. Should any documents contain sensitive personal information about individuals not directly relevant to the subject matter, I understand that you may redact those details in accordance with the FOI Act. I ask that you consider the strong public interest in the transparency and accountability of government agencies, particularly where the personal data of a vulnerable community, in this case the veteran community, is concerned. The disclosure of these documents will serve the public interest by enabling a better understanding of how the DVA protects personal information, and how it complies with legal obligations when serious vulnerabilities arise.
If you consider that this request is too broad or is likely to lead to a practical refusal, I ask that you consult with me under section 24AB of the FOI Act. I am willing to discuss the scope of this request to ensure it can be processed efficiently. If there are any charges associated with this request, I respectfully ask you to consider a reduction or waiver of fees in the public interest, given the importance of the matter and its direct impact on the welfare of veterans.
I look forward to receiving acknowledgment of this request and a decision within the statutory timeframes.
Dear Noseyrosey,
The Department of Veterans' Affairs (the department) has received your
request for access to information under the Freedom of Information Act
1982 (FOI Act). I note you have requested access to the following:
'...I am seeking access to any documents held by the Department of
Veterans' Affairs that relate to a security vulnerability discovered in
the MyService platform between 1 October 2023 and the date your office
processes this request. The vulnerability I refer to involves a method by
which unauthorised individuals could access veterans' personal
information, including but not limited to initial liability claims,
rehabilitation claims, travel claims, and other sensitive data, through
the manipulation of certain web address parameters. I am specifically
interested in documents that discuss any aspect of this vulnerability, its
discovery, investigation, remediation, and any related internal
deliberations or notifications.
More specifically, I request documents that address the initial reporting
of the vulnerability, such as records of the notification provided to the
DVA by the individual who discovered it. I also seek documents detailing
any actions taken in response, including technical assessments, internal
discussions about the scope of the vulnerability, and any correspondence
with service providers such as Services Australia. I request records that
describe attempts to identify root causes, as well as any instructions,
briefings, meeting minutes, or emails between DVA staff and service
providers regarding remediation measures.
I also ask for any documents that relate to the decision-making process
about whether and how the DVA complied with its mandatory reporting
obligations under the Privacy Act 1988 (Cth) and the Notifiable Data
Breaches scheme. This includes records of discussions or correspondence
between DVA officials that consider whether the vulnerability constituted
an eligible data breach and thus triggered the requirement to notify the
Office of the Australian Information Commissioner. Furthermore, I am
seeking documents that clarify whether the DVA intended to, attempted to,
or decided not to inform the affected veterans whose personal and
sensitive information may have been exposed. This includes any drafts or
final versions of notifications, risk assessments, legal advice (if
disclosable), and any instructions or guidelines that may have guided
staff on how to handle such breaches.
If the DVA possesses documents that outline general policies or procedures
governing how staff should respond to data breaches or vulnerabilities of
this nature, I request access to these materials as well. This may include
internal manuals, policy frameworks, standard operating procedures, or
incident response plans relied upon by DVA staff when managing the
discovered vulnerability...'
Your request was received by the department on 14 December 2024 and the
ordinary 30 day statutory period for processing your request commenced
from the day after that date.
If we are in a position to make a decision on your request earlier than
this date, we will endeavour to do so.
The statutory period may also be extended if we need to consult third
parties or for other reasons permitted under the FOI Act. We will advise
you if this happens.
Extension of Time
As DVA will be closed from 25 December 2024 to 1 January 2025 inclusive
for the holiday season, we are asking for your agreement to an extension
of time for a further 30 days to process this request under section 15AA
of the FOI Act. This would mean that your request is due on 12 February
2025.
If we are in a position to make a decision on your request earlier than
this date, we will endeavour to do so.
The statutory period may also be extended if we need to consult third
parties or for other reasons permitted under the FOI Act. We will advise
you if this happens.
Please reply by return email if you agree to this extension of time. If
you do agree we will notify the Office of the Australian Information
Commissioner (OAIC) of your agreement under section 15AA of the FOI Act.
Charges
If the Department considers that a charge will apply to your request, you
will be notified within 14 days of an estimate of the charges that will
apply to your request for non-personal information before we process any
requested documents or impose a final charge.
Your address
The FOI Act requires that you provide us with an address that we can send
notices to. You have advised your contact address is
[1][FOI #12572 email] . Unless you tell us
otherwise, we will send all notices and correspondence to this address.
Disclosure log
Information released under the FOI Act may be published on a disclosure
log on our website, subject to certain exceptions. These exceptions
include where publication of personal, business, professional or
commercial information would be unreasonable.
Further assistance
If you have any questions about your request, please email
[2][DVA request email]
Yours sincerely
Kevin| Information Access Officer
Position 62373493
Information Access Unit
Client and Information Access Branch
Ministerial, Communication & Engagement Division
Department of Veterans’ Affairs
1800 VETERAN (1800 838 372)
[3][DVA request email]
[4]www.dva.gov.au
References
Visible links
1. mailto:[FOI #12572 email]
2. mailto:[DVA request email]
3. mailto:[DVA request email]
4. http://www.dva.gov.au/
Dear INFORMATION.ACCESS,
As per my initial email, the extension has not been granted.
Yours sincerely,
noseyrosey