Australian Government Privacy Breach: September 1 2020

Data breach exposes tens of thousands of NSW driver’s licences online

The documents feature scans of licences which reveal information such as names and addresses.

Source: Data breach exposes tens of thousands of NSW driver’s licences online | ABC News (Australia)
More reports from: ABC News (Australia).

Transport for NSW is yet to alert up to tens of thousands of people whose full driver’s licence details were mistakenly left exposed in an open cloud storage.

The cache was discovered last week by Ukrainian security consultant Bob Diachenko who stumbled upon the directory while investigating another data breach.

The storage folder, which he said was easily discoverable, contained back-and-front scans of NSW licences alongside tolling notices hosted on Amazon’s cloud service.

The total number of images inside the directory was 108,535, or about 54,000 licences.

The documents revealed names, photos, dates of birth and addresses of drivers, which Mr Diachenko labelled a “dangerous exposure”.

The Privacy Commissioner understands that a commercial business, unconnected to the NSW Government, was responsible for the breach.

Leading cyber expert and founder of data breach tool Have I Been Pwned, Troy Hunt, said this was an unusual and uncommon kind of breach and it might be too little, too late.

Mr Hunt said even if Transport NSW was not culpable, it had a responsibility to disclose the potentially “high risk” leak to protect its customers.

“I think there should have been a notice,” Mr Hunt said.