NSW Transport is yet to alert up to tens of thousands of people whose full driver’s licence details were mistakenly left exposed in an open cloud storage.
- Transport for NSW said it is working with Cyber Security NSW to investigate the issue
- The documents feature scans of licences which reveal information such as names and addresses
- Experts say the data could be misused for identity theft purposes
The cache was discovered last week by Ukrainian security consultant Bob Diachenko who stumbled upon the directory while investigating another data breach.
The storage folder, which he said was easily discoverable, contained back-and-front scans of NSW licences alongside tolling notices hosted on Amazon’s cloud service.
The documents revealed names, photos, dates of birth and addresses of drivers, which Mr Diachenko labelled a “dangerous exposure”.
He said it wasn’t clear how long the files had been accessible online, but given how unprotected it was, it probably had been viewed by “malicious actors” who could have made a copy of the files already.
“A malicious actor can impersonate somebody and apply for credit, or do something on behalf of that person,” he said.
“For example, you take one licence and connect the dots with one owner of this licence, with his or her emails exposed in another data breach and you’ve got more information on that person,” he said.
He said personal information like this would also commonly be traded through online black markets once it made its way into the hands of a criminal.
A spokeswoman for Transport for NSW said the collection of files was not related to any government system.
“Transport for NSW does not retain, nor collect tolling data in the manner described,” she said.
“Transport for NSW is however working with Cyber Security NSW to investigate the alleged data issue relating to an Amazon Web Services S3 bucket containing personal information including driver licences.”
The Amazon Web Services S3 bucket is the open cloud storage provider.
Commercial business blamed as source
The office of the NSW Privacy Commissioner, which is delegated to monitor data breaches within State Government departments, said the data appeared to be linked to an unnamed private business.
“The NSW Privacy Commissioner is aware of the breach and has received a preliminary briefing on the breach from Cyber Security NSW,” a spokeswoman said.
“The Privacy Commissioner understands that a commercial business, unconnected to the NSW Government, was responsible for the breach.
“The breach is not associated with a NSW Government agency or any NSW Government system or process.”
The Australian Cyber Security Centre has also been alerted and it is understood it contacted Amazon, who ensured the cache was taken offline within hours after it was alerted.
The Transport for NSW spokeswoman said some drivers request a new licence in a case when they believe they’ve been impacted by identity fraud.
Cyber expert Troy Hunt said this was an uncommon breach and it might be too little, too late.
Mr Hunt said even if Transport NSW was not culpable, it had a responsibility to disclose the potentially “high risk” leak to protect its customers.
“I think there should have been a notice,” Mr Hunt said.
“I would be pushing for a disclosure on this, because it’s something that’s quite important.”
Even if the licence details, such as the card number, weren’t used directly there was “powerful information” on there and it was enough to commit identity theft.
One example he provided would be using it for “social engineering”, such as creating a fake Facebook account to solicit relatives for money.
He was concerned about the toll notices having emails and passwords, which are almost always compromised eventually because regular users have poor security hygiene.
Once a malicious actor had a person’s email and password, he said, their “ability to go on and do damage is massive”.