Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Government mistakenly leaks consultancy fees of 400+ firms via forwarded email

The government has accidentally leaked the billing rates of over 400 consultancies via a mistakenly forwarded email.

user icon Daniel Croft
Thu, 18 Jan 2024
Government mistakenly leaks consultancy fees of 400+ firms via forwarded email
expand image

The leak occurred when the Department of Health and Aged Care forwarded an email containing the “MAS Supplier Matrix”, a confidential database containing federal government quotes from consultancy firms.

Twenty-two consultancies received the email, including one of the big four firms, which contained data pertaining to 413 consultancy firms, including three of the big four.

The department reportedly distributed the data six times between 3 November and 9 November. Minister for Finance Katy Gallagher quickly attempted to lock down the breach, handing the Senate emails between firms following the leak’s discovery, as part of the Senate disclosure.

============
============

“As you can appreciate, this document is commercial in confidence and is not meant for distribution,” an official of the Finance Department told the Health Department a week after the data was first leaked.

According to the document, Gallagher was not properly informed of the incident until a month had passed on 8 December.

The exposed data presents a major problem for the exposed firms, as it grants the recipient consultancies a major advantage when it comes to bidding for government contracts, allowing them to price accordingly and narrowly undercut unknowing rivals.

Known firms that received the data include McKinsey & Company, and BCG, which, alongside the big four, are the country’s biggest advisory consultancies to the government. Law firms MinterEllison and Clayton Utz also admitted to receiving the data.

The government has since responded to the leak, saying that it had issued a “deed of confidentiality” update to the 22 firms that received the email, requesting that all personnel who were able to access the data sign statutory declarations.

Gallagher assured the Parliament that all 22 recipients of the email and their staff who had access to the data had signed deeds of confidentiality.

Of the 22 recipients, 12 firms downloaded the leaked data; however, only two reportedly read it. As part of the deed of confidentiality, all the recipients were required to delete it.

“Appropriate sanctions are available under the MAS head of agreement, such as suspension or termination from the MAS panel, for a service provider that breaches their obligations,” she said.

“As a further level of oversight to ensure service providers have acted in good faith and have not used the supplier matrix to gain commercial advantage, Finance will work with Commonwealth entities to undertake spot checks of responses to requests for quotes by the 22 service providers.”

In addition to the spot checks, which are set to continue for a minimum of 12 months, the ministry has said it will be bringing forward the annual MAS process to allow firms to decrease prices, apply for an adjustment based on wage price index movements over two quarters, or keep prices the same.

Gallagher has also demanded an answer from eight firms that delayed signing the confidentiality deed and is seeking potential consequences for the delays.

Concerns have been raised among affected firms, particularly following last year’s PwC scandal in which the consultancy provided organisations with government tax plans.

Affected consultancies believe that while the recipient firms have claimed to have deleted the data, the clean-up is too little, too late.

It also appears that the Department of Health and Aged Care is not facing any further consequences for the breach.

Update 19.01.2024: Whilst media initially reported that Accenture had received the email containing the data, a spokesperson from the firm confirmed they had not received the data, but did confirm that it's data had been leaked.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.