Documents Related to the MyService Security Vulnerability at the Department of Veterans’ Affairs
Dear FOI Officer,
I make this request for access to documents under the Freedom of Information Act 1982 (Cth).
I am seeking access to any documents held by the Department of Veterans’ Affairs that relate to a security vulnerability discovered in the MyService platform between 1 October 2023 and the date your office processes this request. The vulnerability I refer to involves a method by which unauthorised individuals could access veterans’ personal information, including but not limited to initial liability claims, rehabilitation claims, travel claims, and other sensitive data, through the manipulation of certain web address parameters. I am specifically interested in documents that discuss any aspect of this vulnerability, its discovery, investigation, remediation, and any related internal deliberations or notifications.
More specifically, I request documents that address the initial reporting of the vulnerability, such as records of the notification provided to the DVA by the individual who discovered it. I also seek documents detailing any actions taken in response, including technical assessments, internal discussions about the scope of the vulnerability, and any correspondence with service providers such as Services Australia. I request records that describe attempts to identify root causes, as well as any instructions, briefings, meeting minutes, or emails between DVA staff and service providers regarding remediation measures.
I also ask for any documents that relate to the decision-making process about whether and how the DVA complied with its mandatory reporting obligations under the Privacy Act 1988 (Cth) and the Notifiable Data Breaches scheme. This includes records of discussions or correspondence between DVA officials that consider whether the vulnerability constituted an eligible data breach and thus triggered the requirement to notify the Office of the Australian Information Commissioner. Furthermore, I am seeking documents that clarify whether the DVA intended to, attempted to, or decided not to inform the affected veterans whose personal and sensitive information may have been exposed. This includes any drafts or final versions of notifications, risk assessments, legal advice (if disclosable), and any instructions or guidelines that may have guided staff on how to handle such breaches.
If the DVA possesses documents that outline general policies or procedures governing how staff should respond to data breaches or vulnerabilities of this nature, I request access to these materials as well. This may include internal manuals, policy frameworks, standard operating procedures, or incident response plans relied upon by DVA staff when managing the discovered vulnerability.
I request that you provide the documents in electronic form, such as PDF files, unless they are only available in another format. Should any documents contain sensitive personal information about individuals not directly relevant to the subject matter, I understand that you may redact those details in accordance with the FOI Act. I ask that you consider the strong public interest in the transparency and accountability of government agencies, particularly where the personal data of a vulnerable community, in this case the veteran community, is concerned. The disclosure of these documents will serve the public interest by enabling a better understanding of how the DVA protects personal information, and how it complies with legal obligations when serious vulnerabilities arise.
If you consider that this request is too broad or is likely to lead to a practical refusal, I ask that you consult with me under section 24AB of the FOI Act. I am willing to discuss the scope of this request to ensure it can be processed efficiently. If there are any charges associated with this request, I respectfully ask you to consider a reduction or waiver of fees in the public interest, given the importance of the matter and its direct impact on the welfare of veterans.
I look forward to receiving acknowledgment of this request and a decision within the statutory timeframes.
Dear Noseyrosey,
The Department of Veterans' Affairs (the department) has received your
request for access to information under the Freedom of Information Act
1982 (FOI Act). I note you have requested access to the following:
'...I am seeking access to any documents held by the Department of
Veterans' Affairs that relate to a security vulnerability discovered in
the MyService platform between 1 October 2023 and the date your office
processes this request. The vulnerability I refer to involves a method by
which unauthorised individuals could access veterans' personal
information, including but not limited to initial liability claims,
rehabilitation claims, travel claims, and other sensitive data, through
the manipulation of certain web address parameters. I am specifically
interested in documents that discuss any aspect of this vulnerability, its
discovery, investigation, remediation, and any related internal
deliberations or notifications.
More specifically, I request documents that address the initial reporting
of the vulnerability, such as records of the notification provided to the
DVA by the individual who discovered it. I also seek documents detailing
any actions taken in response, including technical assessments, internal
discussions about the scope of the vulnerability, and any correspondence
with service providers such as Services Australia. I request records that
describe attempts to identify root causes, as well as any instructions,
briefings, meeting minutes, or emails between DVA staff and service
providers regarding remediation measures.
I also ask for any documents that relate to the decision-making process
about whether and how the DVA complied with its mandatory reporting
obligations under the Privacy Act 1988 (Cth) and the Notifiable Data
Breaches scheme. This includes records of discussions or correspondence
between DVA officials that consider whether the vulnerability constituted
an eligible data breach and thus triggered the requirement to notify the
Office of the Australian Information Commissioner. Furthermore, I am
seeking documents that clarify whether the DVA intended to, attempted to,
or decided not to inform the affected veterans whose personal and
sensitive information may have been exposed. This includes any drafts or
final versions of notifications, risk assessments, legal advice (if
disclosable), and any instructions or guidelines that may have guided
staff on how to handle such breaches.
If the DVA possesses documents that outline general policies or procedures
governing how staff should respond to data breaches or vulnerabilities of
this nature, I request access to these materials as well. This may include
internal manuals, policy frameworks, standard operating procedures, or
incident response plans relied upon by DVA staff when managing the
discovered vulnerability...'
Your request was received by the department on 14 December 2024 and the
ordinary 30 day statutory period for processing your request commenced
from the day after that date.
If we are in a position to make a decision on your request earlier than
this date, we will endeavour to do so.
The statutory period may also be extended if we need to consult third
parties or for other reasons permitted under the FOI Act. We will advise
you if this happens.
Extension of Time
As DVA will be closed from 25 December 2024 to 1 January 2025 inclusive
for the holiday season, we are asking for your agreement to an extension
of time for a further 30 days to process this request under section 15AA
of the FOI Act. This would mean that your request is due on 12 February
2025.
If we are in a position to make a decision on your request earlier than
this date, we will endeavour to do so.
The statutory period may also be extended if we need to consult third
parties or for other reasons permitted under the FOI Act. We will advise
you if this happens.
Please reply by return email if you agree to this extension of time. If
you do agree we will notify the Office of the Australian Information
Commissioner (OAIC) of your agreement under section 15AA of the FOI Act.
Charges
If the Department considers that a charge will apply to your request, you
will be notified within 14 days of an estimate of the charges that will
apply to your request for non-personal information before we process any
requested documents or impose a final charge.
Your address
The FOI Act requires that you provide us with an address that we can send
notices to. You have advised your contact address is
[1][FOI #12572 email] . Unless you tell us
otherwise, we will send all notices and correspondence to this address.
Disclosure log
Information released under the FOI Act may be published on a disclosure
log on our website, subject to certain exceptions. These exceptions
include where publication of personal, business, professional or
commercial information would be unreasonable.
Further assistance
If you have any questions about your request, please email
[2][DVA request email]
Yours sincerely
Kevin| Information Access Officer
Position 62373493
Information Access Unit
Client and Information Access Branch
Ministerial, Communication & Engagement Division
Department of Veterans’ Affairs
1800 VETERAN (1800 838 372)
[3][DVA request email]
[4]www.dva.gov.au
References
Visible links
1. mailto:[FOI #12572 email]
2. mailto:[DVA request email]
3. mailto:[DVA request email]
4. http://www.dva.gov.au/
Dear INFORMATION.ACCESS,
As per my initial email, the extension has not been granted.
Yours sincerely,
noseyrosey
Dear FOI Officer,
I am writing in regard to my Freedom of Information (FOI) request, submitted on 14 December 2024, seeking access to documents related to the MyService security vulnerability. As the statutory timeframe for a decision expired on 13 January 2025, and no decision has been received, this matter is now considered a deemed refusal under section 15AC of the Freedom of Information Act 1982 (Cth).
Please be advised that, as a result of the deemed refusal, I have lodged a formal application for review with the Office of the Australian Information Commissioner (OAIC). My OAIC submission details are as follows:
Submission Receipt Number: WEB-MR-25-00843
Submission Date: 14 January 2025
Subject of FOI Request: Documents Related to the MyService Security Vulnerability
This matter is of significant public importance, as it pertains to a critical security vulnerability that may have exposed sensitive personal information of veterans. The delay in processing this request and the failure to provide a decision within the statutory timeframe undermines transparency and accountability.
I respectfully remind the Department of its obligations under the FOI Act to comply with statutory timeframes and to ensure timely access to government-held information. I trust that the Department will cooperate fully with the OAIC in resolving this matter expeditiously.
Should you have any further questions, you may contact me via email at [email address].
Yours sincerely,
Nosey Rosey
Dear NoseyRosey,
Thank you for your request for information under the FOI Act, received by
the Department on 14 December 2024.
I am seeking clarification on part of your scope.
Attached is the consultation notice under s24AB of the FOI Act.
Please provide your response via return email by 26 January 2025 (14 days
from the date of this notification) in order for us to continue processing
your request.
Please be aware that if you decline to refine the scope of your request,
your request may result in a practical refusal decision.
Please get in touch if you have any questions regarding this process.
Kind regards,
Zoey| Senior Information Access Officer
Position Number: 62214764
Information Access Unit
Client and Information Access Branch
Ministerial, Communication & Engagement Division
Department of Veterans’ Affairs
P: 1800 VETERAN (1800 838 372)
E: [1][DVA request email]
W: [2]www.dva.gov.au
[3][IMG][4][IMG][5]Linkedin Icon Svg Download : Linkedin Logo Vector at
GetDrawings | Free ...[6]Youtube, Logo Youtube, Logo Youtube PNG, Logo
Youtube Vektor, Logo ...
[7]Title: Flags - Description: 3 Australian flags in a row (from left to
right): the Australian National flag, the Australian Aboriginal flag and
the Torres Strait Islander flag.
References
Visible links
1. mailto:[DVA request email]
2. http://www.dva.gov.au/
3. https://www.facebook.com/DVAAus
4. https://twitter.com/DVAAus
5. https://au.linkedin.com/company/australi...
6. https://www.youtube.com/@DVATVAus/featured
Dear INFORMATION.ACCESS,
This is already a deemed request and as such has been referred to the OAIC yesterday, you do not get another wack at this until the the IC review commences.
Further however I your questions I suggest you seek the information from Kellie Sheriff Acting Assistant Secretary | Chief Information Security Officer Digital Operations and Support Branch.
Furthermore funny thing is that Services Australia were able to find the documents and have already done an courtesy consult with your office.
Yours sincerely,
noseyrosey