- The personal information of over 50,000 New South Wales citizens has been breached after being left mistakenly exposed on an Amazon cloud storage service
- Security consultant Bob Diachenko stumbled across a folder with front and back scans of over 54,000 driver’s licences while investigating a different data breach
- This means the names, addresses, dates of birth, and pictures of the NSW residents implicated in the breach were left exposed
- Criminals can use this information to apply for credit or to gain access to more personal information from the NSW motorists
- The NSW government said a commercial business with no relation to the government was to blame for the breach
- So far, the NSW residents implicated in the data breach have not yet been contacted
The personal information of over 50,000 New South Wales citizens has been breached after being left mistakenly exposed on an Amazon cloud storage service.
The data breach was flagged by Ukrainian security consultant Bob Diachenko, who accidentally came across the information while investigating a different data breach.
Bob stumbled across a misconfigured Amazon S3 cloud storage system holding front and back scans of NSW drivers’ licences.
More than 50K scanned driver licenses (front+back) and toll notices exposed in a misconfigured S3 bucket. Most likely – part of NSW RMS infrastructure (Road and Maritime, New South Wales, Australia). Secured now. No official response though. Thanks to @troyhunt for assistance. pic.twitter.com/FRTQ5GEEJE
— Bob Diachenko (@MayhemDayOne) August 26, 2020
Altogether, there were over 108,000 images in the folder — more than 54,000 licences.
This means the full names, dates of birth, addresses, and pictures of tens of thousands of NSW motorists have been left exposed. Criminals can use this information to assume the identity of the drivers and, from there, the potential for fraud is wide.
People with malicious intent can use the information to impersonate the owner of the driver’s licence and apply for credit or gain access to more personal information.
Especially given that an Australian driver’s licence is a primary form of identification, scammers with access to the breached images can fool organisations into thinking they are the owner of the card.
Bob said it wasn’t clear how long the files were accessible and if they had been copied by a criminal, but the opportunity was certainly there.
Government not to blame
A Transport for NSW spokesperson said the images of the licences were not related to any government system.
“Transport for NSW does not retain, nor collect tolling data in the manner described,” the spokesperson said.
“Transport for NSW is, however, working with Cyber Security NSW to investigate the alleged data issue relating to an Amazon Web Services S3 bucket containing personal information including driver licences,” she said.
The office of the NSW Privacy Commissioner said as far as it understands, a commercial business unconnected to the NSW government was responsible for the breach.
Amazon has been contacted and the cache has been taken offline. Of course, this doesn’t mean Amazon was responsible for the breach, but rather the business using Amazon’s S3 bucket cloud storage service.
The NSW government has not yet alerted the people whose information was breached.
Once notified, however, those implicated in the breach can request a new license.