The Auditor General of Western Australia has labelled the security controls in place within one system administered by the Department of Justice as "so concerning they were not tabled as part of the office's annual information systems report in May 2019 as planned".
The auditor's 11th annual Information Systems Audit Report[1] was tabled in May 2019 and contained the results of the 2018 annual cycle of information systems audits.
In addition to those that were published at the time, the audit was also performed on the Western Australian Registry System, used by the Registry of Births, Deaths and Marriages, which is a division of the WA Department of Justice.
"The results of the audit were so concerning that, in a highly unusual step and in accordance with sections 7(6) and 25(1) of the Auditor General Act 2006, I decided not to include the results of this application controls audit in the May 2019 report to Parliament," Auditor General Caroline Spencer wrote in a report[2] [PDF] published Thursday.
"I considered that publishing the significant findings at that time, when the system vulnerabilities still existed, would not be in the public interest."
Spencer said it's a frequent occurrence for her office to find weaknesses in public sector entities' systems, but said the nature of the data in the Western Australian Registry System, and what it can potentially be used for, rendered the findings in her report "particularly concerning".
The system contains valuable records that are used to confirm people's identity. It registers all adoptions, births, deaths, marriages, and change of name events in the state. In 2019, it was found the system was not adequately protecting the confidentiality and integrity of that information housed within it.
"Highly confidential and foundational