Kingborough Council’s chief executive has admitted the council has no formally adopted data governance policy, days after a breach exposed thousands of property owners’ names and addresses online.
Dave Stewart fronted residents at Monday night’s council meeting, where the April 30 incident dominated public question time.
He confirmed the breach was caused by human error, not a cyber attack.
“It hasn’t been an intrusion or a hack or anything of that sort,” Stewart said. “It’s purely a human error.”
Stewart told the chamber the exposed data was primarily property addresses and owner or occupier names and that a small number of records may also have included email addresses.
An Oyster Cove resident pressed Stewart on the council’s governance arrangements.
Asked whether council had a formally adopted data governance policy, Stewart said it did not.
“What we do have is process and we have updated that process to include an additional layer of approval before data is published into any public-facing system,” he said.
He could not say when the arrangements were last independently audited but said the ultimate accountability sat with him.
The resident also criticised the decision to first announce the breach through a late-night Friday Facebook post.
“I had to find out about it because I looked for it. You guys didn’t tell me,” she said. “That’s my private information.”
Stewart said he had been alerted to a potential issue at 11:15am on the Thursday but did not have meaningful detail until about 8pm that evening.
The Friday statement went out earlier than he had intended because the matter was already circulating on social media, he said.
A Howden resident drew out that council learned of the breach through an external tip-off rather than internal auditing.
Stewart conceded he could not guarantee the data had not been misused, but said an external firm was now monitoring the open internet and dark web.
Affected residents will be written to once the investigation is complete.
