Following reports on Thursday morning that a staff member from Service NSW clicked on a suspicious link from an email, the New South Wales government has confirmed it was the target of a malicious phishing attack.
The breach was first thought to have only affected individuals who visited a Service NSW shop front or called the state government service and that those transacting via the app or website channels were not compromised.
But in a statement Thursday afternoon, Service NSW revealed the breach, which occurred on 22 April 2020, had seen customer information held in emails accessed.
"On 22 April, Service NSW launched a comprehensive investigation in response to the discovery of a possible breach. Initial assessments were not clear on the reach of the attack," it said.
"This investigation subsequently identified the email accounts of 47 Service NSW Staff members were illegally accessed."
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
Service NSW said forensic specialists have been engaged to perform a deep analysis of the email accounts to identify any personal information that may have been accessed through this attack.
"We are now working as quickly as possible to confirm the scope of this attack on the personal information of our customers," Service NSW CEO Damon Rees said, adding internal cybersecurity teams stopped the attack and worked to limit its impact.
"We are now confident the criminal access was limited to the content of those email accounts, which are related to transactions over the phone or over-the-counter at a Service NSW Centre."
"Cybersecurity is incredibly important and we're very sorry that we haven't been able to successfully protect our customers against this complex attack."
Service NSW has established a dedicated team to offer help to affected customers.
"Service NSW will contact customers who we determine have been affected by this criminal attack," it wrote.
"This is a very complex issue and the analysis and investigation are both ongoing."
Picks up AU$50 million in additional 2019-20 Budget funding to keep progressing work on the business model the federal government has itself adopted.
Service NSW is advising customers to return to the app later to add a digital driver licence, as it was 'a little busy' on Tuesday morning.
The one-stop shop for citizen service delivery believes the move to a "low-touch or no-touch" environment will free up time for its developers.
Over 500 existing websites will be consolidated into the one nsw.gov.au website.