A massive government data breach means more than 186,000 Australian driver’s licences could now be in the hands of foreign hackers.
The New South Wales government’s customer service agency revealed on Monday that 3.8million documents, amounting to 738GB of private data, was stolen earlier this year.
Service NSW said 47 staff email accounts were compromised in April, with security experts saying the public’s identification documents were the ‘golden ticket’ for online scammers.
More than 186,000 Australian driver’s licences could be in the hands of foreign hackers after a massive data breach (stock image)
Service NSW said on Monday nearely 50 of their staff were targeted in the theft of customer documents after their email accounts were compromised
Such personal information is used by hackers to potentially drain bank accounts, purchase items on credit or apply for loans, according to ITNEws.
‘The investigation has taken four months and required a highly technical approach to identify the exact amount of customer information in the 3.8 million documents stolen from the email accounts,’ Service NSW said on Monday.
The agency said about half a million of the documents included personal information.
‘We are now able to focus on providing the best advice for approximately 186,000 customers we’ve identified with data in the breach.’
Customers who have been affected will receive a personalised letter which they will have to show ID to collect and which will include exact details of the data about them which has been stolen.
The letters will give instructions to resolve the security breach and complex cases will be assigned a case manager to guide customers through repairing the issues.
Service NSW labelled the cyber attack ‘criminal’ and said they had referred the matter to police who have launched an investigation.
The shocking revelation follows the discovery of more than 50,000 Australian driver’s licences leaked online in August.
Ukrainian security consultant Bob Diachenko stumbled upon the folder of PDF and JPG files containing 108,535 scanned images of over 54,000 NSW licences.
He also discovered another folder containing Roads and Maritime Services toll notice statutory declarations.
The data was stored on an Amazon cloud storage service and contained phone numbers, addresses and birth dates – all of which were available for public view.
‘More than 50K scanned driver licenses (front+back) and toll notices exposed in a misconfigured S3 bucket,’ Mr Diachenko tweeted along with a screenshot of a list of files dated back to 2018.
‘Most likely – part of NSW RMS infrastructure (Road and Maritime, New South Wales, Australia). Secured now.’
Whether the files are the same documents involved in the Service NSW email data breach has not been confirmed.
Ukrainian security consultant Bob Diachenko stumbled upon the folder of PDF and JPG files containing 108,535 scanned images of more than 50,000 driver’s licences
Mr Diachenko labelled the mysterious data leak a ‘dangerous exposure,’ and said the files had most likely been seen by ‘malicious actors’ who could have made a copy of already.
‘A malicious actor can impersonate somebody and apply for credit, or do something on behalf of that person,’ he said.
‘For example, you take one licence and connect the dots with one owner of this licence, with his or her emails exposed in another data breach and you’ve got more information on that person.’
IDcare security counsellor Christine Jackson said such personal information is regularly used as false verification of identities with Centrelink, phone companies and banks.
‘So often that will be telephone accounts, mobile phones are purchased, they might purchase iPads, tablets and things like that as well – so it can rack up to a lot of money,’ she told the ABC.
‘They’ll also apply for credit cards, personal loans and they’ll just keep going until your credit history is in a mess and they can’t go any further.
‘And then they’ll lay low for a while, wait for you to clean it up when you find out what’s gone on, and then they’ll reinvest in that compromised document.’
Ms Jackson said brazen criminals even steal licences from victims’ letterboxes after being sent to their homes from Roads and Maritime Services.
Scams reported to the ACCC involving identity theft or the loss of personal or banking information cost Australians at least $16 million last year.
Four in 10 Scamwatch reports in 2019 involved attempts to gain information or the actual loss of victims’ information.
Some of the ways scammers obtain personal or banking information are through direct requests for scans of driver’s licenses or passports, often in dating and romance scams.
Fraudsters can empty victims’ bank accounts, take out thousands of dollars in bank loans under victims’ names, and even purchase furniture or electronics under ‘no-repayments for 12 months’ schemes
Fraudsters can empty victims’ bank accounts, take out thousands of dollars in bank loans under victims’ names, and even purchase furniture or electronics under ‘no-repayments for 12 months’ schemes.
Security researcher Troy Hunt believes the source of the leak could be a fleet or toll road operator.
‘The presence of toll notices [in the leak] is probably a bit of a clue and suggests it’s more likely that it’s a toll operator, or a fleet operator,’ he told Car Advice.
Mr Hunt said the nature of the breach would be ‘trivial’ for anyone with a solid amount of technological knowledge to uncover.
‘You don’t have to be at Bob’s level, but if you’re someone who likes to crawl around the internet looking for this stuff [it would be possible] – I’m concerned about someone who makes a concerted effort to find it,’ he said.
‘It was open to public view which was obviously the concerning thing and it’s unclear how long it was open for public view.’
The source of the uploaded files remains unknown, but it’s understood those affected by the breach are yet to be contacted.
Transport for NSW said in a statement they do not retain or collect tolling data, and said it is working with Cyber Security NSW to investigate.
Daily Mail Australia has contacted Service NSW for comment.