THE City of Kalamunda has commissioned a review by an independent audit and risk expert to investigate how it lost a USB containing personal information of 519 ratepayers.
Ratepayer information was downloaded to the USB as part of the City’s annual audit and sent to the address of the external auditor, Grant Thornton, in late September.
The device never arrived at the address, and to date the device has not been recovered.
In a letter to affected ratepayers dated October 16, CEO Rhonda Hardy said the device was lost in the post.
The letter confirmed the device contained banking details of ratepayers, including the account name, BSB and account numbers.
The letter also said the City considered the risk of the information being used in an adverse manner as low.
“The City will advise affected ratepayers should the external device arrive at its destination or be returned,” the letter read.
Echo News sent a series of questions to the City of Kalamunda on Friday October 19, and on Tuesday October 23 the City responded.
The responses contained no new information, apart from the fact that the lost information had impacted “approximately two per cent of ratepayers”.
The City later confirmed the exact number of ratepayers was 519.
One ratepayer that was impacted is Glazelle Van Wyngaard.
Ms Wyngaard was advised by her bank that the only way to keep her account safe after the loss of her information was to close her bank account and open a new one, an action she has taken.
She has also cancelled her direct debit rate payments with the City, and will now only pay in person or via BPAY.
She said she had lost faith in the City.
“I’m not a happy customer and I can’t believe they would be so irresponsible, I’m gobsmacked,” she said.
“You would think they would have a bit more due diligence, a better duty of care for personal information.
“It doesn’t belong to them, it’s not their property.
“If my information could potentially be compromised, I want to know how they’re going to compensate me and I want to know what contingencies they have put in place to make sure this won’t happen again.
“I mean they sent the apology letter by registered post…it’s just a complete and utter debacle.”
Lesmurdie resident Sean Powell was not impacted by the loss of data, but as a computer forensics analyst, he said the incident was staggering.
“That a government or local government office would make the conscious decision to send financial documents that contain personal identifiable information of the ratepayers in an unencrypted format using non-registered mail is staggering,” he said.
“It is a fundamental principle of data security that any sensitive material that is copied onto USB should be encrypted in one form or another if it is leaving the building.
“The City has said they have assessed it as “low risk” but in reality, they have no idea where that information has ended up or how it might be abused in the future.”
In a further response to questions from Echo News, recieved just prior to deadline, the City confirmed it had a data security policy in place prior to the USB being lost.
However it would not confirm if there had been a serious breach of this policy, only saying that it had commissioned a review into the circumstances surrounding the disappearance.
They also confirmed they would not be offering compensation to ratepayers, saying once again that the situation is low risk.