I’ve noticed an ongoing pattern for the NSW government. They don’t appear to be able to keep data safe.

It was reported on 1 September 2020 that scans of about 54,000 NSW licences and toll notices were stolen. Being licences, they contained names, photos, dates of birth and addresses of drivers. The toll notices contained additional information such as business names and emails. Transport for NSW claimed it was caused by a ‘commercial entity’.

The data bucket was closed after the breach was reported to the Australian Cyber Security Centre in August, and AWS notified the unnamed commercial entity. AWS claims to have acted in accordance with the privacy act, and will not share the identity of the entity because of contractual reasons. As of 30 November 2020, the entity which insecurely stored over 50,000 complete licence images is still unknown.

Poor track record

After learning about this, I easily discovered some other breaches in the NSW government.

• Transport for NSW caught up in the Accellion breach, https://ia.acs.org.au/article/2021/transport-for-nsw-hit-in-accellion-data-breach.html
• Service NSW suffered 47 successful phishing attacks https://www.theguardian.com/australia-news/2020/sep/10/service-nsw-hack-could-have-been-prevented-with-simple-security-measures
• NSW Health also caught up in Accellion breach https://www.zdnet.com/article/nsw-health-confirms-data-breached-due-to-accellion-vulnerability/

According to reports, the attacks could have been prevented if risks were taken seriously using measures such as 2FA and adhering to the Essential Eight.

• https://ia.acs.org.au/article/2021/transport-for-nsw-fails-cyber-security-audit.html
• https://ia.acs.org.au/article/2021/nsw-government-ignored-cyber-risks.html

Response

The NSW Government appears to have taken the breaches onboard, with plans to introduce data breach reporting which would fill some of the gaps in the Commonwealth’s Notifiable Data Breach Scheme, which excludes small business and state government agencies. It’s also retired the affected software, announced plans to introduce data breach legislation and I’ve noticed they have been hiring cyber talent like crazy on Seek.

Reflection

Licences are an important form of identification, for many people it’s their primary form of identification. They are a golden ticket for identity thieves: name, address, date of birth and licence number, all in one tasty little morsel. 

I think the NSW government is to be commended on it’s response. But. And it’s a big but, this shouldn’t’ve happened in the first place. The government knows it is an attractive target, at the very least they should have been following the Essential Eight. I say at the very least, but I actually mean they should have done a lot more to prevent this. Not just for themselves but any contractors who handle government issued documents and data (such as licences)

My conclusion is that I do not trust the government to keep data safe. In the space of one year there have been multiple breaches of data from the NSW Government, breaches that may have been inevitable, eventually, were made a lot more evitable by ppor security practices. 

References

• NSW licence breach: https://www.abc.net.au/news/2020-09-01/nsw-drivers-licence-data-breach-under-investigation/12611918 
• NSW licence breach: https://www.zdnet.com/article/unknown-commercial-entity-blamed-for-nsw-drivers-licence-data-breach/ 
• NSW licence breach: https://www.itnews.com.au/news/nsw-drivers-licence-data-breach-victims-still-in-the-dark-after-three-months-558338 
• Transport NSW fails cyber audit: https://ia.acs.org.au/article/2021/transport-for-nsw-fails-cyber-security-audit.html
• NSW government ignored cyber risks: https://ia.acs.org.au/article/2021/nsw-government-ignored-cyber-risks.html
• Transport for NSW caught up in the Accellion breach, https://ia.acs.org.au/article/2021/transport-for-nsw-hit-in-accellion-data-breach.html
• Service NSW suffered 47 successful phishing attacks https://www.theguardian.com/australia-news/2020/sep/10/service-nsw-hack-could-have-been-prevented-with-simple-security-measures
• NSW Health also caught up in Accellion breach https://www.zdnet.com/article/nsw-health-confirms-data-breached-due-to-accellion-vulnerability/