Service NSW has revealed that the personal information of 186,000 customers was stolen because of a cyber attack earlier this year on 47 staff email accounts.
Following a four-month investigation that began in April, Service NSW said it identified that 738GB of data, which compromised of 3.8 million documents, was stolen from the email accounts.
The one-stop-shop agency assured, however, there was no evidence that individual MyServiceNSW account data or Service NSW databases were compromised during the cyber attack.
"This rigorous first step surfaced about 500,000 documents which referenced personal information," Service NSW CEO Damon Rees said.
"The data is made up of documents such as handwritten notes and forms, scans, and records of transaction applications.
"Across the last four months, some of the analysis has included manual review of tens of thousands of records to ensure our customer care teams could develop a robust and useful notification process.
"We are sorry that customers' information was taken in this way."
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
Service NSW said it would now progressively notify affected customers by sending personalised letters via registered post containing information about the data that was stolen and how they could access support, including access to an individual case manager to help with possibly replacing some documents. The agency expects to complete notifying customers in December.
"Our focus is now on providing the best support for approximately 186,000 customers and staff we've identified with personal information in the breach," Rees said.
Service NSW also revealed that NSW Police is currently carrying out an investigation into the incident, which has been labelled as a "criminal attack".
A review by the NSW auditor-general into Service NSW's cybersecurity defences, practices, systems, and education is also underway.
Service NSW said in light of the incident, it has added additional security measures to protect against future attacks, such as partnering with IDCare that will provide the agency with additional "cyber support".
"We have accelerated our cybersecurity plans and the modernisation of legacy business processes to keep customer information as safe as possible," it said.
Last week, it was revealed information on thousands of New South Wales driver's licence-holders was breached, with reports indicating a cloud storage folder that had over 100,000 images was mistakenly left open.
Cyber Security NSW confirmed a commercial entity was responsible for the breach of scanned driver's licence images. It said it was the responsibility of the commercial entity to investigate this matter and notify any customers if their data had been breached.
In June, the New South Wales government committed AU$240 million to bolster the government's cybersecurity capabilities, including investments towards protecting existing systems, deploying new technologies, and increasing the cyber workforce.
Alongside this, the state government announced intentions to stand up a sector-wide cybersecurity strategy and is calling for industry submissions to help shape it.
"The 2020 NSW Cyber Security Strategy will ensure the NSW government continues to provide secure, trusted, and resilient services in an ever-changing and developing environment," Minister for Customer Service Victor Dominello said.
"The new strategy will be delivered through an integrated approach to prevent and respond to cyber security threats and safeguard our information, assets, services, businesses, and citizens."
As part of the New South Wales government's AU$240 million commitment to all things cyber.
With help from industry, the new document will supersede the 2018 strategy.
AU$470 million will be used to create 500 cyber-related jobs within the Australian Signals Directorate.