World leaders’ personal details accidentally disclosed at G20 event

Passport numbers and other details for Obama, Putin, Merkel and Cameron revealed

Australian prime minister Tony Abbott and Russian president Vladimir Putin cuddle koalas before the start of the first G20 meeting in November 2014. Photograph: Andrew Taylor/G20 Australia/Getty Images
Australian prime minister Tony Abbott and Russian president Vladimir Putin cuddle koalas before the start of the first G20 meeting in November 2014. Photograph: Andrew Taylor/G20 Australia/Getty Images

The personal details of world leaders such as US president Barack Obama and British prime minister David Cameron, including passport numbers and visa details, were accidentally leaked to the organisers of a football tournament last year.

The breach, which came during the G20 Summit in Australia last year, included data from 31 world leaders being sent to the wrong person by the Australian Department of Immigration.

The leaders affected - who also included Russian president Vladimir Putin and German chancellor Angela Merkel - were not informed their information had been compromised.

Details of the security breach were described in emails obtained by The Guardian under a Freedom of Information request.

READ SOME MORE

An error meant the details were sent to the organisers of the Asian Cup football tournament, which was held in Australia.

Australia’s privacy commissioner was contacted by the Department of Immigration to inform them of the data breach, and sought advice on the incident.

“The personal information which has been breached is the name, date of birth, title, position, nationality, passport number, visa grant number and visa subclass held relating to 31 international leaders (ie prime ministers, presidents and their equivalents) attending the G20 leaders summit,” the email said.

"The cause of the breach was human error. (Redacted) failed to check that the autofill function in Microsoft Outlook had entered the correct person's details into the email 'To' field. This led to the email being sent to the wrong person."

The Autofill feature of Microsoft’s Outlook email service automatically suggests a recipient’s email address as the sender begins to type.

The immigration office added that the Asian Cup representatives who had received the email said they did not believe the data sent to be accessible or “stored anywhere else in their systems”.

“The matter was brought to my attention directly by (redacted) immediately after receiving an email from (the recipient) informing them that they had sent the email to the wrong person,” the email continues.

“The risk remains only to the extent of human error, but there was nothing systemic or institutional about the breach.”

The officer then goes on to suggest that the world leaders affected should not be made aware of the breach.

“Given that the risks of the breach are considered very low and the actions that have been taken to limit the further distribution of the email, I do not consider it necessary to notify the clients of the breach.”

The Australian Department of Immigration is yet to respond.

Australia's deputy opposition leader, Tanya Plibersek, has called on prime minister Tony Abbott to explain why the world leaders involved were not told of the breach.

“The prime minister and the immigration minister must explain this serious incident and the decision not to inform those affected,” she said.

Tony Pepper, chief executive of internet security firm Egress Software Technologies, said: "This is a shocking breach in security that should have been disclosed immediately — however it's actually a very common mistake.

‘Autofill’ options when entering a recipient’s details create a wide margin for human error when sharing confidential information by email.

However, this is no longer an acceptable excuse, particularly when sharing such highly sensitive information.”