Amazon is refusing to disclose the identity of the owner of the open cloud storage where 54,000 NSW driver’s licences were found, the NSW Government says.
- Cyber Security NSW said Amazon “won’t disclose the name” of the cloud storage’s owner
- It is understood Amazon intends to cooperate with the Government’s investigations
- NSW Labor says the State Government has a “moral obligation” to notify people of the breach
Last week, about 108,535 documents were discovered by a security consultant in Ukraine on an accessible server hosted by Amazon.
Inside the cache were front and back scans of tens of thousands of NSW driver’s licences which included full names, addresses and dates of birth.
The NSW Government has been blasted for failing to notify NSW drivers that their personal details have been exposed.
However, Service NSW says it has been forced to work with third-party organisations to identify the owner of the Amazon Web Service (AWS) ‘bucket’ which hosted the documents.
“AWS currently won’t disclose the name of the entity, but have confirmed it is a commercial entity,” a Cyber Security NSW spokesperson said.
Cyber Security NSW, which is currently investigating the breach, said it had been trying to make the commercial entity aware “of its responsibilities to report and remediate any breach”.
“We do not know how long this commercial entity had this data open for,” said Cyber Security NSW chief security officer Tony Chapman.
“We do not know whether anybody other than the security researcher quoted in media coverage has accessed the information.”
The ABC understands Amazon intends to cooperate with the Government’s investigation.
It is also understood their findings indicated the licences were made public due to the customer misconfiguring the default privacy settings on their cloud service.
“AWS operated as designed and is secure by default. AWS customers own and fully control their data,” an Amazon spokesperson said.
“As is the case on premises or anywhere else, application builders must ensure that changes they make to access configurations are protecting as intended.”
Pressure is mounting for the NSW Government to attempt to notify any customers it is already aware of who were in the cloud directory.
Service NSW said it would be the responsibility of the commercial entity to deliver this notification.
Cyber security lecturer at the University of Sydney Suranga Seneviratne said the NSW Government should be proactive due to the intensely sensitive nature of the documents.
“Transport for NSW should notify these people, we cannot wait until we find the source,” he said.
“That’s something we should do immediately.”
Dr Seneviratne was also concerned that investigators were still unable to ascertain the owner of the repository.
“It might be a case that we may never find them at all,” he said.
The Labor Opposition said the State Government had “a moral obligation to notify people as soon as possible if they are affected by a data breach”.
“While this breach apparently involves a private company, the NSW Government should still be taking steps to help affected people protect themselves against identity theft and cyber crime,” Opposition spokeswoman for better public services Sophie Cotsis said.
“The NSW Government is responsible for administering driver licences, and it has a responsibility to protect people against cyber crime and identity theft.
“Every day the Government delays, they are putting people at risk.”