A Sydney health worker says he was left “sickened” when he realised his NSW driver’s licence was part of a significant data breach.
- Transport for NSW said it does not own or have access to the folder contents
- Because of this, it can’t determine the people who have been affected
- The NSW Opposition said the company linked to the folder should be named
Transport for NSW are yet to alert up to 54,000 people whose driver’s licence details were mistakenly left exposed in open cloud storage.
Edward* checked his phone yesterday and saw the ABC had published the details of the “dangerous” data breach.
The story included a redacted photo of a driver’s licence on a kitchen bench.
The inner-west man said he recognised the distinct kitchen bench as belonging to his mother, where he lived just recently.
He said he panicked when he made the connection.
“I remembered having dinner on that table just two nights ago,” he said.
“The licence featured in the article matched my old postcode and also happened to match the exact benchtop at my mum’s place.
“I put two and two together and realise it was probably my licence.”
Edward said he had no recollection of ever photographing or sending images of his identification to any non-government party.
It is still unclear to authorities who or what created the folder and collected the personal information of NSW drivers, but it is understood to be a commercial entity.
A Department of Customer Service NSW spokesperson said neither the digital driver licence platform nor the Service NSW app were compromised.
“Investigations by Cyber Security NSW into an apparent data breach of NSW Driver Licences by a commercial entity confirms this matter is not related to NSW Government processes, systems or storage in any way,” they said.
Transport for NSW said it was not the owner of the folder, which was hosted by Amazon Web Services.
“As Transport for NSW is not the owner of the folder and does not have access to its contents, the identities of all those who may have been affected cannot be determined,” a spokesperson said.
“However, Transport for NSW takes customer data security concerns seriously and will support those who have been the victim of identity theft. Where necessary, new driver licence/photo cards are reissued on a case-by-case basis.”
Targeting the vulnerable
Working in the health sector, Edward had a heightened anxiety around privacy breaches and regularly changed his passwords.
“It’s a sort of feeling where you’re vulnerable and could be exploited for essentially doing nothing wrong,” he said.
“I am concerned about my own identity and also confident in my ability to tie up loose ends, but if it was my mum or dad, for example, they would probably be much more vulnerable than I am.”
The cache of personal documents was discovered last week during an investigation into another, unrelated data breach.
Ukrainian security consultant Bob Diachenko, who discovered the open folder, said there were 108,535 images showing the front and back of 54,000 NSW licences, as well as toll notices.
Mr Diachenko easily found the directory in an Amazon Web Service S3 bucket, a public cloud storage resource that functions similarly to Google Drive and Dropbox.
After the data leak, the NSW Opposition pressured the State Government to name the commercial company involved.
“The NSW Government must explain this data breach and immediately notify people whose details have been leaked so they can protect themselves,” Opposition spokeswoman for better public services Sophie Cotsis said.
Ms Cotsis said NSW Labor would request an investigation of the breach at a Parliamentary Inquiry into Cyber Security, which was established last month.
The data breach comes after other cyber security incidents which included a major system outage at Transport for NSW which was attributed to a malicious hack in June.
* Not his real name