Two South Australian government entities have reported cyber security incidents in less than a week after the state’s digital driver’s licence system was compromised and historical medical records exposed.
Last Thursday, the Department for Infrastructure and Transport issued a statement about a mass hacking event with mySA GOV, an app that features digital driver’s licences and is used for COVID-19 check-ins.
According to the department, bad actors used credentials stolen in an unrelated breach to compromise 2,601 mySA GOV accounts.
“The accounts could be accessed because account holders had used the same or a similar password for their mySA GOV account as they had used for their account with the unrelated website,” the department said.
“The hackers than used the passwords they had obtained from the unrelated website to access a number of mySA GOV accounts.
“It is strongly recommended that when choosing a new password for their account, customers do not use a password that has been previously used or is currently being used for any other accounts.”
In response, the state blocked the passwords and notified users who were affected. It is also encouraging people who were hit by the attack to change their driver’s licence number.
Then on Wednesday, the SA Ambulance Service revealed devices containing personal information of around 28,000 individuals had been stolen from a third-party consultancy firm.
The SA Ambulance Service had contracted the consultancy – which it has not named – to conduct research about private health insurance reforms.
It released the data in the early 2000s, prior to the ambulance service becoming a part of the state government.
Contained in the stolen devices was information about 32,000 ambulance dispatches between 2000 and 2003 and includes names, dates of birth, and medical information about the patients.
“We apologise to those impacted and have taken urgent action to minimise the risk and to get in touch directly with the affected individuals,” SA Ambulance Service Executive Director Robert Cox said in a statement.
“While we understand that the information stolen is of sensitive nature, there is no evidence to date to suggest the data has been used inappropriately.
“While there has not been a deliberate or operational breach of data, theft of this historical data is taken very seriously.
“We have reviewed our current procedures for data sharing and disposal and want to assure the community that they are robust.”
The ambulance service said it notified the Office of the Australian Information Commissioner about the incident and has contacted the affected individuals.