Service NSW has confirmed that a cyber breach has exposed the personal details of up to 180,000 residents, with more than half a million documents exposed, just a week after a trove of 54,000 NSW licences were breached.
Yesterday, Service NSW confirmed that one of its departments was hit by a “criminal attack” in the form of a data breach earlier this year, but is only informing the public now. Service NSW launched an investigation into the breach in May after discovering that a number of its staff email accounts were exposed back in April.
The ABC has said it made a number of requests under the Freedom of Information Act regarding the data breach, but these were rejected on the basis that the investigation was ongoing.
In a statement, Service NSW said that “this cyber incident was a criminal attack. Cyber-attacks occur daily, and we are often able to intercept them. On this occasional, we couldn’t stop the attack. There is a NSW Police investigation underway and a review by the auditor general of Service NSW’s practices and systems. This audit will assess how effectively Service NSW handles personal customer and business information.”
The NSW Police force has said it has launched an investigation to discover who accessed the sensitive information stored on Service NSW’s network, with Service NSW adding that it will notify those impacted by the data breach via registered post in the next few days.
According to a report from ZDNet, “Service NSW said it identified that 738GB of data, which comprised of 3.8 million documents, was stolen from the email accounts” of staff members.
Chief Executive of Service NSW, Damon Rees has said that millions of documents could potentially have been exposed.
“The investigation, which began in April, engaged forensic specialists to analyse 3.8 million documents in the accounts.”
“This rigorous first step surfaced about 500,000 documents which referenced personal information,” Rees said. “Across the last four months some of the analysis has included manual review of tens of thousands of records to ensure our customer care teams could develop a robust and useful notification process.”
“We are sorry that customers’ information was taken in this way,” Rees added.
Just last week we reported that more than 54,000 NSW driver licences were found on a publicly accessible database discovered by a Ukrainian security researcher, Bob Diachenko. The stash of 54,000 licences was accompanied by more than 108,000 documents which included the personal information – names, dates of birth, and addresses – of NSW residents, representing one of the most significant data breaches originating from a government system in modern history.
Cyber Security NSW confirmed that a commercial third party was responsible for the exposure of NSW drivers licences, and told the party it was their responsibility to notify those impacted by the breach.
Click here for more information on an Information Security Management System like ISO 27001, or for your Free Gap Analysis Checklist.
Opposition MP, Sophie Cotsis said that it was the responsibility of the sitting government to notify those impacted by the breach, especially considering the sensitive nature of the information that was exposed.
In reference to the most recent revelations, Cotsis called the breach “unprecedented” and said that “it is extraordinary that this attack has been allowed to happen.”
“Whether it’s births, deaths and marriages, registration, guardianship information – today people should be questioning whether they trust the information that they’re providing to the Government and the security measures that the government is taking to keep their information safe.”
“This is extraordinary – this is four months and they haven’t notified people… the last we heard is that they’re going to [use] registered mail notification, I mean that’s outrageous. It shouldn’t take four months to notify people whose information has been leaked and cyber criminals have access to that information,” Cotsis concluded.