Identified Service NSW customers at risk will be notified by person-to-person registered mail via Australia Post.
Those identified as having personal information revealed will have to sign for the letter, that will be personalised and include important information about data accessed during the breach and how they can find support.
People are warned not to respond to unsolicited attempts to contact them by phone or email, and particularly not to respond with further personal data.
This follows a “data breach” in which NSW drivers’ licence details were inadvertently left exposed to the Internet four months ago.
The documents were discovered by a Ukrainian security consultant who stumbled upon an unsecured computer folder on an Internet server. He said it was easily discoverable, contained back-and-front scans of NSW licences alongside tolling notices, and was hosted on Amazon’s cloud service.
The total number of images inside the directory was over 100,000 – about 54,000 NSW licences. They revealed names, photos, dates of birth and addresses of drivers.
Amazon is refusing to disclose the identity of the owner of the open cloud storage where the driver’s licences were found. Service NSW says it was forced to work with third-party organisations to identify the owner of the Amazon Web Service (AWS) storage that hosted the documents.
AWS won’t disclose the name of the entity, but have confirmed it is a commercial entity,” a Cyber Security NSW spokesperson said.
An investigation that began in April engaged forensic specialists to analyse 3.8 million documents in the accounts. This revealed about 500,000 documents of personal information.
The data is made up of documents such as handwritten notes and forms, scans, and records of transaction applications,” said Service NSW CEO Damon Rees.
Across the last four months, some of the analysis has included manual review of tens of thousands of records to ensure our customer care teams could develop a robust and useful notification process.
We are sorry that customers’ information was taken in this way.
Our focus is now on providing the best support for approximately 186,000 customers and staff we’ve identified with personal information in the breach.”
The registered mail will be sent progressively as the data is validated, with the notifications due to be completed in December.
Opposition MP Sophie Cotsis criticised the Government for taking four months to alert residents.
This is extraordinary — this is four months and they haven’t notified people,” she said.
It shouldn’t take four months to notify people whose information has been leaked and cyber criminals have access to that information.”
NSW Police are working with Service NSW as they assess potential lines of inquiry about consequent criminal attack. Service NSW has also regularly briefed Cyber Security NSW and the Information and Privacy Commissioner.
There is no evidence that individual MyServiceNSW Account data or Service NSW databases were compromised, a spokesman said.
Independent cyber support community service IDCARE has partnered with Service NSW to provide an additional level of expert support.
IDCARE Managing Director Professor David Lacey said the innovations being applied by Service NSW will have a considerable positive impact on the response.
The approach Service NSW has taken will set a new benchmark on what proactive protections can be put in place from an impacted person perspective, and it provides a roadmap for treating individual risk,” said Professor Lacey.
A new Service NSW hypercare team will help customers on a case by case basis including with documents that may need to be replaced.
Access to the cyber support community service IDCARE who will provide an additional level of expert support.
If a customer has any doubt about a contact from Service NSW about this or any other security matter, they should call the Service NSW contact centre on 137788.
Service NSW has made several updates to the cyber incident URL to keep the community informed. The site has been updated with the latest information about the response.
Service NSW will never call or email a customer unannounced to request customer information about this or any other data breach.
Take this seriously
Drivers licences are the foundation stone for identity theft.
They provide the holder of one – forged, stolen, or scanned or photographed image – to get a foot in the door to banking and phone companies as a primary document for identity. The other primary or secondary documents are relatively trivial for an identity thief to replicate.
Once a thief is a dual identity holder, he or she can wreak untold personal, reputational, and financial havoc that can take years for you to repair.
It is imperative, therefore, to follow these steps provided by Service NSW.
Whether or not you’ve been affected by this breach, below are some steps to check and protect your identity, finances, and personal information.
Protect your passwords
Use passphrases and use different ones in different places. For Internet use, employ software known as a “password safe” which can store and automatically type very complex passwords for you, all protected by a single memorable password.
Use two-factor authentication
Set up and learn to use two-factor authentication (2FA) for your important accounts. For banking the ideal is a key generator supplied by some banks and building societies. These devices are not Internet (like Captchas) or phone dependent (like SMS).
Fortify your finances
Check bank statements and report anything amiss, and set up a credit alert.
COVID-19 scam messages
Be alert to emails and phone calls who might address you by name and request further personal details “for your own protection” before proceeding. Hang up.
Protective measures for individuals following a data breach
Check with the ATO for any unauthorized requests for early release of your super.