Routine, insecure processes at the NSW government’s Service NSW agency are continuing to jeopardise the privacy and security of citizens’ personal information, an audit has found in the wake of a March data breach that compromised 3.8m sensitive documents and will cost the agency over $30m.

Service NSW, which has been lauded for a centralised digital service delivery approach that formed the model for the federal government’s own Services Australia agency, “is not effectively handling personal customer and business information to ensure its privacy,” the Auditor-General for NSW concluded after a recent review of the agency’s processes.

The agency “continues to use business processes that pose a risk to the privacy of personal information,” the review found, noting continued “routine emailing of personal information” that was among the contributors to the May breach.

Some 736GB of personal data – relating to what was believed to be 200,000 people but later revealed to be around 105,000 – was compromised during that breach, which occurred after a successful phishing attack led to the compromise of 47 staff email accounts.

Despite the formation of a ‘hypercare’ team to manage the fallout of the breach – and the subsequent commitment of $240m to improve cyber security across the NSW government – Auditor-General Margaret Crawford found that “previously identified risks and recommended solutions had not been implemented on a timely basis”.

Despite its claim to have a “zero level appetite for privacy risk”, Crawford said, the lack of procedural change at Service NSW was continuing to threaten the privacy of its 4 million clients, for whom the agency manages over 1,200 types of digital transactions on behalf of 36 NSW government agencies.

Ongoing use of business processes requiring that personal information be scanned and emailed to some client agencies, for example, had kept insecurities persisting and required “urgent action” to be fixed.

Service NSW’s lack of multi-factor authentication – which was supposed to have been implemented by June 2019 but only went live after the breach – was also named as a key vulnerability.

There were also “significant weaknesses” in the security around Service NSW’s implementation of the Salesforce customer relationship management (CRM) system, including “deficiencies in the management of role-based access, monitoring and audit of user access, and partitioning of program specific transaction information”.

The review also found blurring of the lines of responsibility for meeting privacy obligations, as well as a lack of privacy reviews around existing processes and systems that “has resulted in some processes continuing despite posing significant risks to the privacy of personal information”.

Ongoing privacy surveillance

Addressing concerns that the lack of ongoing privacy reviews had allowed insecure processes to fester inside Service NSW – and that most staff were unaware of the agency’s privacy management plan despite nearly 90 per cent of staff completing mandatory privacy and information security training – Service NSW accepted “in full” the Auditor-General report and its eight core recommendations to improve privacy at Service NSW.

These include implementing better systems for secure document exchange and storage; clarify privacy controls; review privacy risk management policies; address shortcomings in its Salesforce system; and updating client agency agreements to ensure they meet privacy standards.

Sophie Cotsis, NSW Shadow Minister for Better Public Services, slammed the audit’s findings as an indictment of state governance processes that, she said, Minister for Customer Service Victor Dominello had weakened with misguided restructuring.

Dominello “allowed risk, privacy and governance roles at Service NSW to be absorbed [into] the Department of Customer Service,” she said, “leaving Service NSW without an internal team to manage these high-risk functions.... We will see many more incidents like this Service NSW breach until this government takes this seriously.”

The agency “is committed to significant and enduring changes to the way we do business,” Service NSW CEO Damon Rees said in a response to the review that acknowledged that the data breach had “profoundly affected our customers, our partner agencies’ customers, and our staff”.

Remediation, including what he called “enhanced cybersecurity measures” and automated secure archiving of emails containing personal information, had complemented additional staff privacy training and paved the way for “wide-ranging improvements to privacy protection” that had been planned for 2021.

The agency will, for example, reduce paper processes and implement “more secure methods” for transmitting and storing personal information.

It will also review its processes to minimise the number of instances where personal information must be retained, and will review both new and existing processes on an ongoing basis to ensure continuing compliance.

“The significance and the scale of improvements in the pipeline,” Rees said, “demonstrate how seriously we take our responsibility to rebuilding the trust of our customers and staff.”