54,000 NSW driver licences leaked in AWS cloud: But, there’s hope on the horizon

Cyber Security NSW recently informed Transport for NSW that a cloud storage folder containing personal information, including approximately 54,000 NSW driver licences, were left open in a misconfigured Amazon Web Services (AWS) S3 bucket hosted by Amazon’s cloud service.

Who tipped the bucket?

Transport for NSW said it did not own the cloud storage folder and the exposed AWS S3 bucket was not related to Transport for NSW or any government system.

Cyber Security NSW confirmed an unknown commercial entity was responsible for the data breach. The commercial entity collected scanned copies of driver licences directly from its customers and exposed them to the public by misconfiguring default privacy settings on Amazon’s cloud service.

Amazon refused to disclose the identity of the commercial entity and denied responsibility for data breach stating, “AWS operated as designed and is secure by default. AWS customers own and fully control their data.”

Where is the data?

Regardless who was responsible for the data breach, no one knows how long the data was exposed to the public or who accessed the information before Amazon took it offline.

The inadequately secured directory exposed names, dates of birth, home addresses and 100,000s of driver’s licence images for cyber criminals to copy and exploit.

Connecting this data with exposed information in another data breach, such as email and passwords, would allow malicious actors to commit identity theft and cause massive damage including, but not limited to:

• Impersonation to act on behalf of a person and ruin his or her financial credibility.
• Social engineering to create fake social media accounts and solicit relatives for money.
• Trade through online black markets to get more personal information on the victim.

Threats to Australian cyber security is old news

NSW government has been pressing to boost state cyber security capabilities for quite some time.

In 2018 the New South Wales Auditor-General conducted a security probe on 10 state government agencies to examine cybersecurity incident detection and response in the NSW public sector. The probe revealed:

• Only two had good detection and response processes.
• Four had a medium capability to detect and respond to incidents in a timely manner.
• Remaining four had a low capability.
• Most agencies had incident response procedures.
• Some agencies lacked guidance on who to notify and when.
• Some agencies did not have response procedures at all.

NSW government has since released a cybersecurity strategy that focuses on creation of a mandatory cyber incident reporting scheme, inter-agency information-sharing, and cybersecurity-focused training for public servants.

Cyber Security NSW launched its Cyber Security Vulnerability Management Centre, which is responsible for detecting, scanning, and managing online vulnerabilities and data across departments and agencies.

Australia’s cyber landscape remains cloudy

In April 2020, Australian Cyber Security Centre issued a threat update regarding malicious cyber activity impacting Australians stating it “continues to receive reports from individuals, businesses and government departments about a range of different COVID-19 themed scams, online frauds and phishing campaigns.”

The Office of the Australian Information Commissioner received 518 notifiable data breach reports during the first half of 2020.

• 34% of breaches were due to human error.
• 61% of breaches were attributed to malicious or criminal attacks.
• and there was a 47% surge in social engineering and impersonation attacks.

But, there’s hope on the horizon

We can shield our businesses from cyber-threats, data breaches and attacks by implementing:

• cloud security management
• cyber security incident detection and response plan
• risk assessment
• penetration testing