The immigration department has admitted it accidentally published the personal details of 10,000 asylum seekers in detention on its website.
The department said the information was never intended to be in the public domain after The Guardian reported that details of every asylum seeker in Australian detention, community detention or on Christmas Island was affected by the privacy breach.
"The department acknowledges that the file was vulnerable to unauthorised access," a spokeswoman said in a statement.
"The file has been removed and the department is investigating how this occurred to ensure that it does not happen again."
The Australian Privacy Commissioner Timothy Pilgrim will investigate the breach and will receive a detailed report from the immigration department.
"This is a serious incident and I will be conducting an investigation into how it occurred," he said in a statement.
"The Office of the Australian Information Commissioner will be working with the department to make sure they are fully aware of their privacy obligations and to ensure that incidents of this nature will not be repeated."
Interim findings by KPMG to be complete next week: Morrison
Minister Morrison says the Department of Immigration has engaged KPMG to conduct an investigation with an interim report to be complete next week.
"But there is no excuse for that information to have been put there in a way that could have been potentially accessed," he told Sky News, "and we're getting to the bottom of that. KPMG will give us some interim findings on that next week. And that will provide the ability to ensure tha there is no repeat of these things."
"I do find it unacceptable. I have made that very clear to the Department Secretary. And to the extent disciplinary action is required and appropriate then I would expect that to be taken."
Mr Morrison said the data had been on the government website "only...for a few days".
"It was placed there inadvertently. It wasn't readily accessible. It required quite a number of things for any user to do to gain access to that information."
Data breach has legal implications
In the past, the immigration department refused to release asylum seekers' personal information because it could put them in danger.
The Refugee Council of Australia says the safety of thousands of asylum seekers and their families has been put at risk through the publication of personal information about them by the Immigration Department.
The chief executive of the Refugee Council of Australia, Paul Power, says it is an outrageous breach of security with serious implications.
"Certainly in a number of countries of asylum, people who have gone somewhere else to seek asylum are pursued by the authorities in different ways and to be named in this way by the Department of Immigration has all sorts of implications," Mr Power told SBS.
Listen: Refugee Council of Australia's Paul Power speaks to Michael Kenny
"But it could also potentially create an immediate risk for family members who could be tracked by authorities in the country of origin as being linked to a person in detention or community detention in Australia."
Labor immigration spokesman Richard Marles said the government had an appalling record of information management.
"It can't determine what should be made public and what should be kept private," he told reporters in Canberra.
"It's getting it wrong at every turn."
He warned there could be legal implications as a result of the breach.
Australian Greens senator Sarah Hanson-Young says the data breach makes a mockery of the government's obsession with secrecy.
Comment has been sought from Immigration Minister Scott Morrison.
