The blame game has intensified between Amazon, the NSW government and tech researchers after AWS refused to name the company responsible for allowing 54,000 NSW drivers licences to be exposed.
Earlier this week we reported that a trove of more than 108,000 documents were discovered by a Ukranian security researcher, which included 54,000 drivers licences due to a misconfigured cloud storage system.
Service NSW has since said that it is working with third parties to determine the owner of the Amazon Web Service (AWS) ‘bucket’ that was the host of the files.
A spokesperson for Cyber Security NSW has said that “AWS currently won’t disclose the name of the entity, but have confirmed it is a commercial entity.”
Cyber Security NSW has launched a formal investigation into the breach, and is attempting to make organisations more aware of their “responsibilities to report and remediate any breach.”
Chief Security Officer with Cyber Security NSW, Tony Chapman has said that “we do not know how long this commercial entity had this data open for… we do not know whether anybody other than the security researcher quoted in media coverage has accessed this information.”
Bob Diachenko, the man responsible for discovering the documents said at the time that he is certain that “malicious actors” have viewed and made copies of the files for their future financial and identity theft campaigns.
Diachenko explained that “a malicious actor can impersonate somebody and apply for credit, or do something on the behalf of that person… for example, you take one licence and connect the dots with one owner of this licence, with her or her emails exposed in another data breach and you’ve got more information on that person.”
“All the documents I observed were related to the NSW area and there was no indication as to who might be the owner of the data,” he told ITNews.
Grab Your Free ISO 27001 Gap Analysis Checklist
A spokesperson for Amazon has said that it intends to fully cooperate with Cyber Security NSW in their investigations, and their early understanding is that the trove of data was made public to do a misconfigured default privacy setting within the cloud-based storage system.
“AWS operated as designed and is secure by default. AWS customers own and fully control their data,” Amazon said. “As is the case on premises or anywhere else, application builders must ensure that changes they make to access configurations are protecting as intended.”
According to a report from the ABC, “the NSW government has been blasted for failing to notify NSW drivers that their personal details have been exposed.”
Service NSW has said, however, that it remains the responsibility of the unnamed commercial entity to notify those impacted by the data breach.
The ABC’s report quotes Suranga Seneviratne, a cyber security lecturer at the University of Sydney who says that the NSW government should exercise a more proactive approach to the data breach, as a result of the extremely sensitive information listed on drivers licences.
“Transport for NSW should notify these people, we cannot wait until we find the source… that’s something we should do immediately.”
“It might be the case that we never find them at all,” he added.
State and Federal opposition parties have said that the NSW State Government has “a moral obligation to notify people as soon as possible if they are affected by a data breach.”
Opposition spokesperson for better public services, Sophie Cotsis has issued a statement saying that “while this breach apparently involves a private company, the NSW government should still be taking steps to help affected people protect themselves against identity theft and cyber crime.”
“The NSW Government is responsible for administering driver licences, and it has a responsibility to protect people against cyber crime and identity theft,” she said, adding that “every day the Government delays, they are putting people at risk.”
