Service NSW not effectively handling private information: NSW Auditor-General

Report arrives following breaches earlier this year from emails spoofing Office 365 warnings.
Written by Chris Duckett, Contributor
Image: Asha Barbaschow/ZDNet

The NSW Auditor-General Margaret Crawford has released her office's report into how Service NSW handles personal and business information, following the agency being breached earlier this year.

In May, the agency fessed up to the phishing attack, which led to 47 staff email accounts being compromised. The breach was said to have impacted 186,000 customers and exposed up to 738GB of customer information contained within 3.8 million documents.

The Audit Office said in its report that the breach was actually a pair of phishing attacks across late March and early April -- the spoof email mimicked an Office 365 warning -- that led to a fake Office 365 log-in page from where credentials were harvested. Even though Service NSW had previously highlighted it did not have multi-factor authentication on its systems in 2018 and said it would be done by June 2019, it was not implemented until the breach occurred.

Even though Service NSW played down the impact of the breach in terms of customers affected this week, the Audit Office said it has not seen the data behind that statement and, at any rate, it was a serious breach and showed Service NSW needed to improve.

The agency has previously said the breach would cost around AU$30 million, but that is before remediation or compensation is taken into account, the Audit Office said.

The report presented a damning view of an agency that had grown fast, was not enforcing its own policies, lacked proper digitised and secure communication with other agencies and departments, and was using its Salesforce CRM for tasks it was not designed for.

"Service NSW is not effectively handling personal customer and business information to ensure its privacy," the report opened with.

"It continues to use business processes that pose a risk to the privacy of personal information."

One of the least compliant methods used by Service NSW was scanning and emailing personal information to some of the agencies it had client arrangements with -- one of which is Births, Deaths, and Marriages -- and not having automated controls.

Instead, the agency relied on manual policies that required its workers to "double delete" emails with scanned attachments from sent and deleted folders and delete scanned copies from shared drives.

"Operational risks to customer's personal information are not effectively mitigated and business processes that contributed to the recent data breach are continuing," the report said.

"While processes are in place to identify and record risks, the controls in place to mitigate risk need improvement."

The report added that Service NSW is far too reliant on employee training and does not have any sort of technical barrier to what workers do -- not even proper logs. 

"Once trained in how to conduct transactions on client agency systems, staff are provided with access logins. There are no further technical restrictions on a staff member accessing customer information without authority."

"There is also no way for Service NSW to routinely monitor access. We were told of examples of unauthorised access to customer information, though these were only detected by methods such as another team member reporting suspicious behaviour or following a complaint from a customer who suspected that their privacy had been breached."

Due to how Service NSW was created, and that it works with data from 36 other state agencies, the agency has arrangements with its brethren, which are not watertight.

"The lack of clarity in privacy responsibilities in agreements between Service NSW and its client agencies poses two risks," the report said.

"First, that necessary obligations will fall 'between the cracks' of the two agencies, with each assuming the other responsible for meeting an obligation.

"Second, that it creates uncertainty for individuals about which agency is responsible for their personal information and which agency is accountable should a breach occur -- even knowing to which agency the individual should complain."

Since it was created in 2013, Service NSW has grown from three client agencies to 36, increased staff numbers from 24 to just shy of 3,900, opened 109 service centres as well as four mobile centres, and increased the number of transactions it handles by 150%.

This growth was called out in its use of the Salesforce-managed CRM solution for information it was not intended to store.

"The CRM was primarily intended to be used for recording customer service interactions in relation to transactions that Service NSW performs on behalf of other agencies, without storing the personal information collected through those transactions. Transaction information is generally stored on client agency systems," it said.

"Since its inception, Service NSW's use of its CRM system has extended to storing transaction data, particularly for services for which it has responsibility, such as the Seniors Card. It also holds basic account details for over four million MyServiceNSW account holders, including at a minimum, name, email address, and phone number, and optional address details."

The Audit Office found the Salesforce instance held de-identified data such as health, disability, and Indigenous status on children who received Active Kids vouchers, and "program information for the Affordable IVF program".

"It also retains transaction information about firearms licence applications for a short period of around two or three days," the Audit Office said.

"Some staff interviewed for this audit were concerned that this evolution in the way the CRM system is used to store transaction information, along with the greater volume of data that is stored, has changed the risk profile from that which applied when the system was designed."

Ostensibly, the agency has said it has zero-risk appetite, but the Audit Office found holes in its attempt to reach that goal.

For instance, executives are not completing the yearly privacy management assessments, awareness of its privacy management plan is low among staff and it has not been submitted to the Privacy Commissioner as required, and even though it was informed that agency executives discuss enterprise risk, the Audit Office could find no mention of it in the minutes provided.

"This creates uncertainty regarding what is discussed at these meetings, whether any formal decisions are made, or actions agreed, at these meetings," it said.

Even though the Audit Office said Service NSW is capable of producing "good practice" privacy impact assessments, it only does so on major new projects and has not completed them on existing systems. Service NSW also does not publish the assessments, even if the assessment itself recommended to do so.

In its set of recommendations, the Audit Office said Service NSW needed to urgently implement a way to securely pass personal information between itself and client agencies, as well as review the need to store that information at all, and, if needed, create a more secure way to store and regularly delete it.

The report also recommended by March 2021 that Service NSW makes sure new agreements that it enters with client agencies cover how private information is stored and secured, reviews its privacy management plan with its overseeing Department of Customer Service, as well as works with the department on how it manages privacy risks.

By June, the report said Service NSW should have addressed the deficiencies found in its Salesforce instance, policies, and processes covering user activity on the system, partitioning, and role-based access restrictions to personal information. The agency should have also both allowed customers to use multi-factor authentication on their MyServiceNSW accounts and view a transaction history relating to their personal information to identify mishandling.

The report recommended by December next year that Service NSW modify existing agreements with client agencies to cover how private information is stored and secured, carry out a "risk assessment of all processes, systems and transactions that involve the handling of personal information", and complete a privacy impact assessment on unassessed high-risk systems, or systems with major changes since a prior assessment was made.

Minister for Customer Service Victor Dominello welcomed the "robust" findings of the report.

"My agency has committed to implementing all of the Auditor General's recommendations and has already implemented a number of critical security measures such as multi-factor authentication on staff email accounts," he said.

"Legacy systems -- like those targeted in this attack which contained photocopied paper attachments -- must be systematically removed and replaced with secure end-to-end digital systems.

"I sincerely apologise to those affected."

Related Coverage

Editorial standards