Last week, a New South Wales (NSW) driver’s licence company suffered from a massive data breach, impacting more than 50,000 individuals. According to ABC News, approximately 108,535 documents were found on open cloud storage hosted by Amazon.
A security consultant in Ukraine by the name of Bob Diachenko is said to have found the breach and the said documents on the Internet. Diachenko reportedly only stumbled upon the data by accident as he was investigating another breach, notes ABC News.
Among the compromised personal information include tens and thousands of scanned NSW driver’s licences which show both the front and back details, as well as the names, addresses, and dates of births of the licence holders. Photos were also made vulnerable by the incident.
Apart from the aforementioned personal details, the storage folder also contained tolling notices. In total, around 54,000 licenses and individuals were compromised by the said data breach, leading the security consultant in Ukraine to label the incident as a “dangerous exposure.”
Following the incident, the government has reportedly been bombarded with messages and criticisms regarding the issue, with most saying the government failed to immediately notify drivers and licence holders whose data may have been compromised.
In light of this, ABC News revealed that while the government has reached out to third-party organisations and authorities to identify the owner of the cache, Amazon itself has declined to reveal the name of the organisation or company.
In a statement, a spokesperson for the NSW Cyber Security said, “AWS currently won’t disclose the name of the entity, but have confirmed it is a commercial entity.”
Cyber Security NSW said that the commercial entity was responsible for the security breach, and by extension, was responsible for conducting an investigation. Furthermore, the commercial entity in question should also be the one to notify affected customers, reports ZD Net.
Referring to the incident, Cyber Security NSW chief cybersecurity officer Tony Chapman said, “There are mandatory reporting requirements under the Office of the Australian Information Commissioner that the commercial entity needs to adhere to.”
“Cyber Security NSW will continue to work with other organisations to seek more information about the commercial entity involved and encourage them to reach out to their customers if their information has been breached.”
To address the incident, Transport for NSW said it will issue new photos or driver’s licence cards to affected parties on a case-by-case basis, notes ZD Net.