Hundreds of gigabytes of data taken from Transport for NSW was dumped on the dark web, raising further concerns about the state government’s ability to manage cyber security.
The data appeared on a dark web leak site belonging to ransomware and extortion group CL0P after the state transport agency was caught up in a data breach related to the Accellion File Transfer Appliance (FTA) last month.
Around 250GB of information including confidential emails and files appears on the site, downloadable in chunks of roughly 4GB each.
CL0P published data from Transport for NSW and dozens of other organisations in an extortion attempt after a vulnerability was discovered in the legacy Accellion service.
“Want to delete a page or buy data?” the Transport for NSW leak site says. “Write to the email indicated on the home page.”
Greens MP David Shoebridge said there were “a number of issues” with stolen confidential information from the state government appearing on a publicly accessible web site.
“Transport for NSW has never been up front about what information was stolen and who may be impacted,” he told Information Age.
“There should be a basic expectation of transparency from any government department that has been hacked.
“Obviously there are concerns when a high profile government agency has such a security breach and I am not at all confident that Transport for NSW has the right measures in place to protect its information going forwards.”
Shoebridge sat on a parliamentary committee investigating cyber security in the NSW government in the wake of a cyber attack on Service NSW along with multiple agencies that were affected by the Accellion vulnerability.
The committee handed down its findings last Friday, slamming its handling of cyber security at a time when the government is promoting greater use of digital services among citizenry.
Shoebridge himself was critical of what he said was “a series of government agencies” found to be using email to send large amounts of personal information – as was the case in the Service NSW breach.
“It’s one of the most insecure methods of transferring information that’s ever been designed,” he told Information Age.
“Yet even when they’ve been put on notice about the vulnerabilities, there doesn’t seem to be a sense of priority inside government agencies.
“There are real structural failures inside the NSW government when it comes to cyber security.”
The NSW parliamentary committee made 12 recommendations including that the government reviews the functions of Cyber Security NSW and moves it out of the Department of Customer Service and into the Department of Premier Cabinet so it has “more independence from service delivery agencies” like Service NSW.
Cyber Security NSW declined Information Age’s request for an interview.
In an email statement, a spokesperson said Cyber Security NSW “plays a critical whole-of-government role” in developing stronger government security.
“In accordance with the mandatory requirements in the NSW Cyber Security Policy, agencies must report cyber security incidents to Cyber Security NSW,” the spokesperson said.
“Also under these requirements, agencies must also share information on security threats and intelligence with Cyber Security NSW.”
In relation to the Accellion breach, the Cyber Security NSW spokesperson said it “continue[s] to focus on technical and criminal investigations”.