Details have emerged about a serious data breach by a federal government contractor. 

Reports say that the Department of Home Affairs (DHA) became aware of a breach in September last year when its cybersecurity unit detected documents had been sent externally.

The DHA contractor is alleged to have removed the “classified” status from files relating to 500 departmental projects and forwarded them to his personal email address, scrubbing the classification ratings so his actions did not trigger an internal departmental alert system.

Any kind of alteration to Commonwealth records without approval is a breach of the Commonwealth Crimes Act and a breach of the Department of Home Affairs' internal security instructions.

The man allegedly held a NV1 (negative vetting level 1) security clearance, so was allowed to view secret documents and have temporary, supervised access to top-secret information.

The unauthorised activity may have taken place as early as 2020 and ran until the man's contract ceased in June 2021. He was involved in projects across the Home Affairs portfolio, including Australian Border Force data.

A former colleague has told reporters that the contractor was brought back for a meeting with the department's intelligence branch, which resulted in him agreeing not to take on further projects with the department.

But he was subsequently able to pick up more contract work with another large federal government department. 

No formal intelligence breaches were recorded by Home Affairs last year, but it is unclear whether the classified information was passed on to third parties.