CFA warned of ‘serious security breach’ prior to fire season

One source, who asked not to be identified as they feared they could lose their job for speaking out, claimed they were instructed by a senior figure in the CFA’s learning and development department to lie to volunteers at a meeting on March 5.

“He said words to the effect that ‘I understand that we’re expecting you to lie to members’,” the source said.

Internal documents obtained by The Age reveal the problem should have been rectified by the end of January but remains unresolved, while volunteers remain unaware of the failed audit.

In response to the claims about the March 5 meeting, a spokesperson for the fire authority said: “CFA always endeavours to be honest and open with its members at all times and ensure that they have the right information, when they need it.”

Regarding the failed audit, the CFA said the VRQA found the fire authority had awarded statements of attainment to members who had completed a nationally accredited training unit without having a prerequisite unit.

“This was an administrative error that CFA was not aware of and had been issuing the statements of attainment in good faith,” a spokesperson said.

“The CFA has taken steps to identify and notify impacted members and update training systems to prevent the unit from being awarded again without the prerequisites .. . and retrospectively issued a replacement competency unit in 2020 to all affected members.”

The Age has been inundated with examples of harassment and bullying since publishing multiple stories about CFA’s repeated failure to reform its dysfunctional workplace culture.

It revealed last week the CFA instructed its own investigators to drop or avoid some complaints of serious sexual assaults, harassment and bullying and in one case forced staff in its integrity unit to sign non-disclosure contracts or face disciplinary action.

It also faces accusations of an entrenched culture of misogyny and discrimination, which has led to renewed calls for the release of a report by the Victorian Equal Opportunity and Human Rights Commission.

The report was suppressed in 2018 after a legal challenge by the powerful United Firefighters Union.

The IT consultant who worked briefly for the CFA said he raised concerns in early 2019 about the organisation’s mandatory self-assessment and reporting requirements within the Victorian Protective Data Security Standards.

Victorian government agencies are required to provide a high-level “protective data security plan” every two years to the Office of the Victorian Information Commissioner (OVIC) to show their level of compliance.

The former CFA contractor noticed inconsistencies between an internal audit completed by Ernst & Young for the CFA and the report they submitted to the OVIC. The version submitted to the OVIC made the organisation look partially compliant when it was not and hid the fact that the CFA was vulnerable to phishing or hacking, the man said.

Loading

“They’d gone in and … altered reports to the audit office. Their internal audit done by Ernst & Young, it differed from the reports they sent into OVIC of their security and data compliance,” he said.

He raised it with his manager and was told the differences were “just wordsmithing”.

“I said, ‘This is not wordsmithing, this is saying you’re compliant with these practices,” he said.

“Out of the 18 measures you have to be compliant with the audit, you’ve just doctored five or six out of 13 to make them compliant without evidence and without attachments. So how can you send this stuff in?”

The man, now semi-retired, has worked for several large companies and organisations but said working for the CFA was the worst experience of his professional career. He said the CFA had a reputation as a “no-go zone” in the IT sector because of complaints and issues not being dealt with by management.

An internal investigation into the man’s claims completed in March last year and obtained by The Age recommended an external forensic auditor experienced in IT be engaged to investigate, and that IBAC should be alerted to the complaint.

“This is a serious allegation which if true could leave CFA exposed … to a serious security breach that could affect key mission critical operations systems during fire season,” he wrote.

The investigator also found that falsely reporting to VPDSS could result in legal action, adverse publicity, reputational damage and IBAC involvement.