NSW Transport has yet to inform more than 50,000 Australian driver licence holders that their personal data was uploaded and left exposed in open cloud storage.
The licences were discovered last week by a Ukranian security consultant who stumbled across the folder, which he said was both easily discoverable and easily downloadable from the Amazon cloud storage where it was found.
The licences revealed personal information such as names, photos, dates of birth and addresses of drivers, which can be used together create false identities and commit identity fraud.
It's not clear how long the file was online, or who had access to it, but there is potential for all of licence holders to be affected.
Passing the buck
Transport New South Wales said the collection of files was not related to any government system but that the department was working with Cyber Security NSW to investigate the error.
The incident is expected to be examined by the Parliamentary Inquiry into Cyber Security which was established in August of this year.
But while the details exactly what happened, how, and whose responsibility this is, are still yet to be fully determined there are about 54,000 New South Wales driver licence holders impacted by the breach – none of whom have been formally informed of the breach.
Impact of identity theft
Aside from identity theft, if a cyber criminal is able to access that person's email and passwords, they have the ability to wreak havoc on any aspect of that person's life – potentially gaining access to bank accounts or credit card information which would then permit them to commit fraud.
In February 2018, new laws came into effect, making it mandatory for all businesses to inform customers of any "data breach" that puts them at risk of "serious harm". The laws were intended to bring Australia into line with corporate data security policies and procedures around the globe.
Data breaches include any unauthorised access to, disclosure or loss of customer information, encompassing all personal information, credit reporting information and tax file information.
'Serious harm' is broadly defined as including physical, psychological, emotional, reputational, economic and financial harm.
Businesses with a mere "suspicion" of a breach must take all reasonable steps to ensure that a full investigation of that suspected breach is completed within 30 days.
If a breach has indeed occurred, it must be reported to the Office of the Australian Information Commissioner and customers must be notified in writing.
The customer notification must include specific information about the compromise, as well as clear instructions for responding such as the need to change passwords, cancel credit cards and/or review their personal information.
The penalties for non-compliance are severe – up to $360,000 for individuals and $1.8million for organisations for serious or repeat infringements.
New South Wales deserve to find out whether or not their personal information has been compromised, and there are calls for the government to at least contact affected people so they can make decisions about what to do next.
The incident is yet another example of government departments potentially leaving personal data accessible to those who may have sinister intentions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.