Tech

Unknown commercial entity blamed for NSW driver's licence data breach

The identity of the entity is unknown to Cyber Security NSW and AWS isn't exactly helping to determine who it is.

Written by Asha Barbaschow, Contributor Sept. 1, 2020 at 7:49 p.m. PT

Earlier this week, it was revealed information on thousands of New South Wales driver's licence-holders was breached, with reports indicating a cloud storage folder that had over 100,000 images was mistakenly left open.

According to Transport for NSW (TfNSW), it was told on Thursday by Cyber Security NSW that a cloud storage folder hosted by Amazon Web Services (AWS) containing personal information, including photos of driver's licences, was not adequately secured.

"Transport for NSW quickly established that it was not the owner of the cloud storage folder," it said in a statement.

On Tuesday, Cyber Security NSW confirmed a commercial entity was responsible for the breach of scanned driver's licence images. It said it was the responsibility of the commercial entity to investigate this matter and notify any customers if their data had been breached.

AWS has so far not provided information on the identity of the commercial entity, nor the customers that may have been affected by the breach, Cyber Security NSW chief cybersecurity officer Tony Chapman said.

"There are mandatory reporting requirements under the Office of the Australian Information Commissioner that the commercial entity needs adhere to," he said. "Cyber Security NSW will continue to work with other organisations to seek more information about the commercial entity involved and encourage them to reach out to their customers if their information has been breached."

Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia

Chapman said the information was not provided by, nor sourced from NSW government agencies, and that his team does not know how long this commercial entity had this data open for, nor who had access to it.

TfNSW said as it is not the owner of the folder and does not have access to its contents, the identities of all those who may have been affected cannot be determined.

"Transport for NSW takes customer data security concerns seriously and will support those who have been the victim of identity theft," TfNSW said. "Where necessary new driver licence/photo cards are reissued on a case-by-case basis."

Cyber Security NSW launched its Cyber Security Vulnerability Management Centre in July. Operating out of Bathurst, 200kms west of Sydney, the centre is responsible for detecting, scanning, and managing online vulnerabilities and data across departments and agencies.

Service NSW in April fell victim to a phishing attack. The email accounts of 47 Service NSW Staff members were illegally accessed, with the emails containing customer information.

A spokesperson for Service NSW told ZDNet that an investigation into the matter was still ongoing.

"The analysis into the attack on Service NSW staff email accounts is ongoing and the specialist teams are working through complexities including ensuring the data remains secure during the review," they said.

Also this year, the state government experienced a power outage at one of its data centres in Silverwater, west of Sydney, resulting in many state health and customer service functions reverting to manual processes.