Thousands of Service NSW customers whose information was compromised during a cyber attack in March 2020 are still unaware that the incident even occurred, a parliamentary inquiry has heard.
During the inquiry into cybersecurity on Wednesday, Service NSW CEO Damon Rees was questioned about the attack on 47 staff email accounts which saw the information of 104,000 individuals stolen.
Rees said the process for contacting affected customers about the breach has been “very difficult” due to the risk of scams.
“One of the things we observed is that when we did advise the public that we had been impacted by a breach, almost immediately members of the public were receiving attempted scam calls off the back of that public awareness to attempt to defraud them,” he told the inquiry.
Incomplete personal information, including contact details, has also meant that up to 30,000 people who were impacted by the breach have not yet been told.
“The method of notification in order to not generate risk for the public is that registered person-to-person mail which relies on us to have a current physical mailing address for the individual,” Rees explained.
“We did seek and were granted a section 41 from the Privacy Commissioner which enabled us to work with Transport for NSW to obtain the most up-to-date address possible for those impacted individuals.
“We have 104,000 individuals that were impacted and at this point it indicates that we have been able to successfully reach 70 to 80% of them.”
Service NSW originally thought that 186,000 customers had been affected by the breach, but has since revised the number.
Personal information that was compromised during the attack included names, dates of birth, phone numbers, and “more sensitive pieces of information such as particulars around your driver’s licence”, Rees said.
Email still used to send data, despite risk
A report from the NSW Audit Office last year noted that the practice of routinely emailing personal customer information to client agencies had contributed to the data breach.
The report recommended that, “as a matter of urgency” Service NSW should implement a solution for a secure method of transferring personal information to other agencies, review the need to store scanned copies of personal information, and, if still required, implement a more secure method of storing information with regular deletion of material.
Rees told the inquiry that last year the agency removed all email held in the accounts of customer service staff that were more than 60 days old, which effectively reduced the amount of email held in those mailboxes by about 92%.
The agency is now looking to find a secure alternative to the transfer of information.
“We have a number of technologies that we are looking at there and piloting at the moment. We need to be very careful that when we make that change, we make it to a more secure alternative and that we get the processes and the human elements right around that, as well as the technology,” he said.
The agency is also looking at ways to remove the manual handling of information altogether where possible. However, Rees noted that this would require “the fundamental digitisation of those processes end-to-end so that the information does not have to be manually handled”, and would not be “quick or easy”.
Under questioning by Greens MP David Shoebridge, Rees admitted that while the amount of email that is being held has been “drastically reduced”, there is an “ongoing dependency” on email.
“I think we need to be ever vigilant about the safety of our personal information. We are already working towards that, and through the course of this year we will, if not eliminate, then greatly reduce the dependency on email for handling of information,” he said.