Nearly 50,000 Australians and 5000 federal public servants have had sensitive personal information exposed online as part of one of the nation's biggest ever data breaches.
Employees of the Department of Finance, the Australian Electoral Commission and National Disability Insurance Agency have been caught up in the massive leak caused by a private contractor, along with more than 40,000 private sector workers from insurer AMP, utility UGL and Dutch multinational Rabobank.
The leaked information included names, passwords, ID data, phone numbers, as well as credit card numbers and corporate information including salaries and expenses, IT News reported on Thursday.
The Department of Prime Minister and Cabinet confirmed it was aware of a breach involving a third party contractor, but said the data exposed was historical, archived and partially anonymised.
It contained limited personally identifiable information of government employees such as work email addresses, and in some cases Australian Government Service numbers and corporate credit card details, the department said.
The bulk of credit card information within the data had expired.
A spokesman for the department said the data breach involved a third party contractor engaged to provide expense management services, impacting four federal government departments.
About 3000 employee records from the Finance Department were exposed, along with 1470 from the Australian Electoral Commission and 300 at the National Disability Insurance Agency, IT News reported.
The records were accessible through an incorrectly configured Amazon cloud storage service and reportedly discovered by a Polish security researcher identified as "Wojciech".
The government's Australian Cyber Security Centre was first alerted to the breach in early October.
The Department of Prime Minister and Cabinet said the ACSC immediately contacted the contractor to secure the information and remove the vulnerability within hours of being notified.
"The exposed data did not contain any national security information, classified material, or Australian government customer data."
Departments involved have been notifying affected staff and giving them appropriate support, and have worked with the ACSC and the Office of the Australian Information Commissioner to respond to the breach, it said.
"Having removed the vulnerability, the ACSC and affected government agencies have been working with the external contractor to put in place effective response and support arrangements, and support affected staff."
AMP was the organisation worst hit in the breach, with about 25,000 staff records exposed.
Some 17,000 records were exposed from UGL along with 1500 from Rabobank.
The private contractor has not been named but it is understood the information was primarily backed-up data from March 2016.
The leak follows revelations last month that a 1000-page security manual related to security upgrades at Parliament House had been lost by defence giant BAE Systems.
In October 2016, private information related to half a million Australians – including their sexual and medical histories – was made public when Australian Red Cross Blood Service files were accidentally placed on an unsecured, public-facing website.
Opposition digital economy spokesman Ed Husic said the latest breach was a grave error, made more disturbing because it followed recent leaks including of Medicare information.
Mr Husic said it risked undermining public confidence in government data security.
"On top of this, it's clear the government knew about it, they weren't public about it," he said.
"The government did not explain what they knew and how they were fixing it.
"We're calling for a review of what's happened, and want to hear from the government as well," he said.
A spokesman for AMP confirmed a limited amount of data related to staff expenses had been stored inadvertently in a publicly available cloud service operated by a third-party supplier.
"The mistake was quickly corrected once identified and the matter investigated to ensure all data had been removed.
"No customer data was compromised at any time," he said.
Community and Public Sector Union national secretary Nadine Flood called on the government to take immediate steps to rectify the breach.
"The private operator behind this serious breach has not only failed to protect the personal information of Commonwealth public sector workers, but also potentially the critical information held by those government agencies on Australians," she said.
"Disclosing employees' email addresses, passwords and IDs fairly obviously gives cyber attackers a way into those systems."
Doug Dingwall is a reporter for The Canberra Times covering the public service and politics.