By Gary Adshead
An astonishing online security failure has exposed thousands of sensitive and confidential Metropolitan Cemeteries Board documents.
WAtoday and 6PR were alerted to the gaping security hole in the MCB’s website, which meant anyone could access the documents by clicking on ‘restricted content’ links.
Those links were supposed to have been password protected and only accessible to certain staff and board members.
It was also possible to enter the ‘board members’ only’ portal without an email address or password by clicking the ‘already logged in?’ tab.
While it’s unclear how long the MCB’s website had been compromised, minutes of board and committee meetings, details of incidents involving the transportation of bodies and fresh revelations about fraud are among documents that could easily have been viewed by the public.
The security lapse comes six weeks after a whistleblower leaked damaging internal emails from the MCB’s chief executive Kathlene Oliver.
She was concerned that the MCB, which manages seven cemeteries, including Karrakatta, Pinnaroo and Fremantle, was “exposed to fraud and corruption” because of “alarming” procurement practices.
Major contracts worth more than a $1 million were being awarded without a tendering process, prompting the Corruption and Crime Commission to investigate.
The latest scandal is compounded by the fact that the MCB had recently undertaken a review of its cybersecurity systems and the details of plans to combat online threats can be read via one of the restricted content links.
“It has been determined that the most significant vulnerability within the organisation resides within the PROTECT and RESPOND domains of the established cybersecurity policy,” one document reads.
Some documents seen by WAtoday and 6PR throw a spotlight on other serious internal issues the MCB has had to manage.
In a presentation titled Corporate Governance, the chief executive outlined evidence of “suspected timesheet fraud, procurement misconduct and secondary employment”.
She refers to a senior staff member “forging the signature of key personnel from (the) Department of Finance” and said the CCC was investigating.
There was also a different senior employee who had left the MCB with a payout despite the CCC confirming they were involved in timesheet fraud.
Under the heading ‘careless or negligent behaviour’, the chief executive told her board about a piece of equipment which was allowed to be installed at Karrakatta’s crematorium even though it had already injured two staff members at the Fremantle crematorium.
According to MCB board minutes, there were two occasions last year when leaking coffins “exposed employees to biohazardous waste”.
In one case, a funeral director was found to have “knowingly delivered an unsuitable and hazardous coffin to the MCB after a chapel service”.
A business case prepared by the MCB for the state government to consider last year, was also available to read on the website.
It complained that “resourcing has not been increased over the last 10 financial years despite consistent strong increases in activity”.
The business case warned that staff were struggling with a 21 per cent increase in workload, which was “unsustainable and has resulted in errors and increased injury to employees”.
But on the other hand, the MCB has more than $74 million tied up in privately managed investment funds.
Saving Family Headstones at Karrakatta spokesman Shane Becu told Radio 6PR he had been unsuccessfully trying to request information from the Board through freedom of information requests before realising the website breach.
“I think it just goes to show the internal issues they had with their administration,” he said.
“This is evidence of a culture of problems.”
In a statement, the MCB said it was not aware of the website breach until contacted by WAtoday and 6PR on Monday morning.
“The MCB has temporarily taken down its website whilst it investigates the cause for the access control deficiency and rectifies the issue,” the statement read.
“The MCB has advised the systems that store personal information, such as transaction records, are secure and were not accessible.”
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.