PriceSensitive

Personal information of over 54,000 NSW drivers exposed in massive data breach

Economy
01 September 2020 14:59 (AEDT)

NSW Privacy Commissioner, Samantha Gavel

The personal information of over 50,000 New South Wales citizens has been breached after being left mistakenly exposed on an Amazon cloud storage service.

The data breach was flagged by Ukrainian security consultant Bob Diachenko, who accidentally came across the information while investigating a different data breach.

Bob stumbled across a misconfigured Amazon S3 cloud storage system holding front and back scans of NSW drivers’ licences.

Altogether, there were over 108,000 images in the folder — more than 54,000 licences.

This means the full names, dates of birth, addresses, and pictures of tens of thousands of NSW motorists have been left exposed. Criminals can use this information to assume the identity of the drivers and, from there, the potential for fraud is wide.

People with malicious intent can use the information to impersonate the owner of the driver’s licence and apply for credit or gain access to more personal information.

Especially given that an Australian driver’s licence is a primary form of identification, scammers with access to the breached images can fool organisations into thinking they are the owner of the card.

Bob said it wasn’t clear how long the files were accessible and if they had been copied by a criminal, but the opportunity was certainly there.

Government not to blame

A Transport for NSW spokesperson said the images of the licences were not related to any government system.

“Transport for NSW does not retain, nor collect tolling data in the manner described,” the spokesperson said.

“Transport for NSW is, however, working with Cyber Security NSW to investigate the alleged data issue relating to an Amazon Web Services S3 bucket containing personal information including driver licences,” she said.

The office of the NSW Privacy Commissioner said as far as it understands, a commercial business unconnected to the NSW government was responsible for the breach.

Amazon has been contacted and the cache has been taken offline. Of course, this doesn’t mean Amazon was responsible for the breach, but rather the business using Amazon’s S3 bucket cloud storage service.

The NSW government has not yet alerted the people whose information was breached.

Once notified, however, those implicated in the breach can request a new license.

Related News