Double trouble: Former ombudsman brought in for review after Finance leaks confidential data again

The Department of Finance has once again accidentally leaked confidential and sensitive commercial information to consulting firms bidding against each other for government contracts.

But the department says the emails, which were sent to 236 businesses, contained old data not useful to current bidders.

It is the second such embarrassing leak for the department, the first being in November last year.

Department secretary Jenny Wilkinson has launched an independent review into both of the serious gaffes, to be conducted by former ombudsman Michael Manthorpe.

In a statement, the department said the leaked rates were now outdated as they were for November.

“On 14-15 February 2024, the Department of Finance, as contract managers for the Management Advisory Services Panel, emailed 236 suppliers with details of their updated pricing,” the statement said.

“The email included embedded information with some third-party confidential information.

“Please note that no third-party confidential information would have been accessed or viewed by a person who simply opened the email or its attachments.

“Upon becoming aware of this on 19 February 2024, Finance immediately took a number of steps.”

Those steps include calling or attempting to call all 236 suppliers on 20 and 21 February to seek the deletion of the email and attachments.

This was followed up with an email to seek written confirmation of the deletion.

Those panel advisory firms the information was sent to include the biggest consultancies, EY, KPMG, Deloitte, Scyne Advisory (the former PwC government contract arm), MinterEllison and Clayton Utz.

Put down to human error, the information was leaked by being included but accidentally “hidden” in emails sent out to confirm suppliers’ rates.

On 21 February, the department advised all suppliers on the MAS Panel of the matter and the actions undertaken so far.

The Manthorpe review will consider the circumstances that led to the unauthorised disclosure of the information, as well as the department’s systems and processes.

In the statement, Finance described the potential disclosure of this third-party confidential information as “regrettable” and apologised for the “oversight”.

A subsequent statement issued by the department provided more information about the incident.

“The third-party confidential information that was embedded within the spreadsheet attachment comprised contact details and fee information for providers on the MAS Panel that was current as at November 2023,” it stated.

“The fee information that could be identified through manipulation of the spreadsheet is not representative of the current pricing of all providers on the MAS Panel (given that most suppliers have adjusted their fees over the past few months).

“As previously advised, this information would not have been accessed or viewed by a person who simply opened the spreadsheet.”

It said the fee information under the MAS Panel was a maximum charging point that suppliers proposed, but was commonly reduced in response to individual requests for tender.

All service providers will be given a further opportunity to amend pricing in April, as a part of the usual fee adjustment process outlined in the MAS Head Agreement.

And Finance has sent confidentiality deed polls and statutory declarations to all suppliers who received the spreadsheet, seeking their urgent execution.

Finance Minister Katy Gallagher was attending the G20 meeting in Brazil when news of the data breach broke.

Shadow finance minister Jane Hume, however, said Senator Gallagher must “come clean” on how hundreds of businesses had had their privacy and commercial arrangements breached.

“It is staggering that the Department of Finance under Minister Gallagher has released information on up to 400 companies, some with personal details of individuals, only months after a similar breach had to be cleaned up,” Senator Hume said.

“When the original breach occurred in November, the Minister tried to brush concerns away with claims that appropriate steps had been taken.

“Clearly, she was wrong. This isn’t just a one-off, this is now a track record of incompetence.

“In the latest breach, it was only days later that the Department of Finance became aware of the fact that they breached privacy and commercial confidentiality arrangements.

“This will damage the public confidence in government procurement processes and the certainty of any business working with the Commonwealth in the future.”