Cyber Security NSW recently informed Transport for NSW that a cloud storage folder containing personal information, including approximately 54,000 NSW driver licences, were left open in a misconfigured Amazon Web Services (AWS) S3 bucket hosted by Amazon’s cloud service.
Cyber Security NSW confirmed an unknown commercial entity was responsible for the data breach. The commercial entity collected scanned copies of driver licences directly from its customers and exposed them to the public by misconfiguring default privacy settings on Amazon’s cloud service.
Amazon refused to disclose the identity of the commercial entity and denied responsibility for data breach stating, “AWS operated as designed and is secure by default. AWS customers own and fully control their data.”
Regardless who was responsible for the data breach, no one knows how long the data was exposed to the public or who accessed the information before Amazon took it offline.
The inadequately secured directory exposed names, dates of birth, home addresses and 100,000s of driver’s licence images for cyber criminals to copy and exploit.
Connecting this data with exposed information in another data breach, such as email and passwords, would allow malicious actors to commit identity theft and cause massive damage including, but not limited to:
NSW government has been pressing to boost state cyber security capabilities for quite some time.
In 2018 the New South Wales Auditor-General conducted a security probe on 10 state government agencies to examine cybersecurity incident detection and response in the NSW public sector. The probe revealed:
NSW government has since released a cybersecurity strategy that focuses on creation of a mandatory cyber incident reporting scheme, inter-agency information-sharing, and cybersecurity-focused training for public servants.
Cyber Security NSW launched its Cyber Security Vulnerability Management Centre, which is responsible for detecting, scanning, and managing online vulnerabilities and data across departments and agencies.
In April 2020, Australian Cyber Security Centre issued a threat update regarding malicious cyber activity impacting Australians stating it “continues to receive reports from individuals, businesses and government departments about a range of different COVID-19 themed scams, online frauds and phishing campaigns.”
The Office of the Australian Information Commissioner received 518 notifiable data breach reports during the first half of 2020.
We can shield our businesses from cyber-threats, data breaches and attacks by implementing:
If you think your licence has been compromised you are able to request a new licence from the issuing authority.
Intrix Cyber Security can help you build the right cyber strategies and systems to protect your business from cyber-threats and attacks. Please contact us for a free consultation to learn how.