Reports have emerged that NSW Transport has been hit with a data breach that has seen 54,000 driver licences exposed through a mistake from a non-affiliated commercial enterprise.
Security researcher Bob Diachenko has said that while investigating a separate data breach, he discovered a misconfigured cloud storage system left exposed containing more than 54,000 NSW drivers licences.
According to a report from the ABC “the storage folder, which he said was easily discoverable, contained back-and-front scans of NSW licences alongside tolling notices hosted on Amazon’s cloud service.”
The files left exposed – and easily accessible – contained photos, addresses, full names, dates of birth and photos of potentially tens of thousands of NSW residents in what Diachenko calls a “dangerous exposure” of personally identifiable information.
NSW Transport has not yet contacted those implicated in the data breach.
While it’s unknown just how long the files were left accessible online, Diachenko says it’s certain that “malicious actors” have both viewed and made copies of the files for their identity theft campaigns.
“A malicious actor can impersonate somebody and apply for credit, or do something on the behalf of that person,” Diachenko explained, adding that “for example, you take one licence and connect the dots with one owner of this licence, with his or her emails exposed in another data breach and you’ve got more information on that person.”
“All the documents I observed were related to the NSW area and there was no indication as to who might be the owner of the data,” he told ITNews.
According to that report, one folder contained 108,535 images of driver’s licences, with another containing thousands of Roads and Maritime Services toll notice statutory declarations.
A spokesperson for Transport for NSW has said that the files were not connected to any government system.
“Transport for NSW does not retain, nor collect tolling data in the manner described,” they said, adding that “Transport for NSW is however working with Cyber Security NSW to investigate the alleged data issue relating to an Amazon Web Services S3 bucket containing personal information including driver licences.”
“While it is always important for licence holders to be privacy aware when providing their sensitive personal information to other parties, Transport for NSW recognises that some third parties routinely request driver licence information as part of their business practices,” the spokesperson continued to explain.
The Office of the NSW Privacy Commissioner has released a statement saying that the breach was most likely the result of a commercial organisation. A spokesperson for the Office said that “the NSW Privacy Commissioner is aware of the breach and has received a preliminary briefing on the breach from Cyber Security NSW.”
“The Privacy Commissioner understands that a commercial business, unconnected to the NSW Government, was responsible for the breach,” adding that “the breach is not associated with a NSW Government Agency or any NSW Government system or process.”
Troy Hunt, the founder of Have I been Pwned and renowned cyber security expert has said that even if the breach wasn’t due to an error within Transport NSW, they still have a duty of care to notify customers of the “high risk” information leak.
“I think there should have been a notice,” Hunt said, adding that “I would be pushing for a disclosure on this, because it’s something that’s quite important.”