20,000 people still unaware of Service NSW breach

The NSW government has been unable to notify at least 20,000 people who were impacted by a data breach at Service NSW last April.

It has been notifying people affected by the breach through registered mail.

Speaking to a NSW Inquiry into Cybersecurity last week, CEO of Service NSW Damon Rees said the department had “been able to reach 70 to 80 per cent” of the 104,000 people whose personal information was compromised in the phishing attack.

Last year’s incident saw 47 Service NSW staff email accounts hacked, resulting in the breach of five million documents, 10 per cent of which was understood to contain personal information.

“We are still ensuring that all our customer notifications have been successfully received by customers,” Rees told the committee.

“We get them returned to us by Australia Post where that has not been the case.”

In December, the NSW Auditor General handed down its report into the April breach, finding Service NSW “is not effectively handling personal customer and business information to ensure its privacy”.

The audit report slammed Service NSW for its process of emailing personal information of clients – a practice that was still occurring late into last year.

A lack of multi-factor authentication was also mentioned as a contributing factor to the breach.

Rees said Service NSW had already begun to reduce the risk of major breaches by removing all emails older than 60 days from customer service inboxes. He was also looking into more modern ways of storing sensitive information.

“Part one of this risk is to hold less,” he said. “Part two is to find a secure alternative to the transfer of information.

“We have a number of technologies that we are looking at there and piloting at the moment.

“We need to be very careful that when we make that change, we make it to a more secure alternative and that we get the processes and the human elements right around that, as well as the technology.”

Greens MP David Shoebridge questioned the NSW Chief Cyber Security Officer, Tony Chapman, as to why Service NSW was managing sensitive private information by email in the first place.

“Would it be fair to say that if you were designing a system that wanted to protect people's privacy and have as many layers of cybersecurity as possible, you would not start with emails?” Shoebridge asked.

Chapman’s response: “which is why agencies across New South Wales were actually, in fact, using Accellion as an alternative to email”.

The Accellion File Transfer Appliance (FTA) – a legacy product from the software vendor Accellion – had been earlier named by Chapman as part of another security incident affecting the Health Department and potentially other NSW agencies.

“The New South Wales Government and Cyber Security NSW are aware of the security incident that has impacted a third party provider,” Chapman told the committee.

“Cyber Security NSW is coordinating a whole-of-government response with potentially impacted agencies.

“We are working with forensic specialists as well as Accellion to determine the extent of potential impact, and that is ongoing.”

A vulnerability in Accellion’s FTA was behind a recent breach at the Australian Securities and Investments Commission (ASIC) which had occurred days after Accellion had rolled out patches to the small number of clients still using its old file-sharing system.