Audit Office flags database security flaws at Births, Deaths & Marriages

The NSW Audit Office has warned of systemic flaws in the state's Registry of Births, Deaths, and Marriages’ (BD&M) database management system, with sensitive public records potentially exposed to unauthorised access. 
 

The concerns were highlighted in a report released earlier this month by the state auditor warning that the BD&M – an agency under the remit of the state’s Customer Service department – lacks sufficient controls to fully protect its LifeLink database.

LifeLink, launched in 2014, houses Registry data and provides a customer-facing search facility to access BD&M records. Agency staff are able to access, add to, and amend the Register through the LifeLink application.

Chief among the concerns, the report noted, were the agency's “insufficient controls” to prevent the distribution of sensitive information in its Register (which houses all BD&M records, including birth and marriage record data), as well as a lack of restrictions on staff exporting and distributing information from LifeLink.

“This increases the risk of unauthorised access to, and misuse of LifeLink data and creates the risk that information may be sent to unauthorised third parties,” the report noted.

Designated staff could, it was revealed, also use specialised software to generate reports of data from the Register without due authorisation.

The report however noted that “BD&M has since commenced routine audits to address this”.

The audit further identified a lack of sufficient assurance by the agency in determining the effectiveness of its database security controls. It also failed to maintain direct oversight of the database environment, simply relying on the Department of Communities and Justice’s (DOJ) management of a third-party vendor to provide assurances over database security.

“The vendor operates an Information Security Management System that is certified against international standards, but neither BD&M nor DCJ has undertaken independent assurance of the effectiveness of the vendor's general IT controls.”

There were additional gaps identified in controls to prevent and detect unauthorised access to the databases and servers, the report said.

“Neither BD&M nor DCJ is regularly reviewing users who have access to the databases and related servers that sit behind the Register. They are also not monitoring user activity in these databases and servers.

“Passwords that individuals use to access the databases and servers are not configured in line with DCJ's policy on required password settings. This creates the risk of unauthorised access or changes to the Register that are not identified.”

Auditor recommendations

The BD&M maintains a comprehensive register of births, deaths, and marriages within New South Wales. The agency also registers adoptions, changes of name, and changes in sex and relationships. These records are collectively referred to as 'the Register' and hold data for all individuals who have registered these details within NSW.

Maintaining the integrity of data held within the Register remains an utmost priority, the auditor stressed, as information is used by both the government and individuals confirm identity.

“Unauthorised access to, or misuse of the information in the Register can lead to fraud or identity theft. For these reasons it is important that there are sufficient controls in place to protect the information."

The complex patchwork of database management and security oversight was also noted in the report, with agencies lacking a clear definition of who should oversee what.

Despite the BD&M agency now under the remit of Customer Services (following MoG changes enacted by the Government mid-last year), its former parent agency, the Department of Communities and Justice, retains control over the security and management of the underlying LifeLink database.

The auditor thus urged for greater collaboration between the Customer Services agency and the DCJ to enforce best practice security controls, noting, in particular, "that passwords for users authorised to access the databases and servers comply with the Department of Communities and Justice's policy on password settings".

The report also sought an action plan to routinely monitor privileged user activity in the Register, whilst restricting the ability of LifeLink users to export and distribute information from the Register outside of legitimate actions.