The location of sensitive organisations, including defence sites and domestic violence shelters, were revealed in a leak of data the NSW government collected for mandatory QR code check-ins.
Cyber security specialist Skeeve Stevens found a dataset which had been deliberately uploaded to the NSW government website contained sensitive information.
He told the Nine papers there were some “scary things” he was able to find by trawling through the publicly available data including police armoury and firearm storage locations.
“Perhaps someone should’ve thought about what should and should not have been disclosed,” he said.
Stevens explained on LinkedIn that the issue wasn’t necessarily the data itself being uploaded but the apparent lack of an option for organisations to indicate their check-in location data was sensitive, as is the case with defence sites and domestic violence shelters.
NSW requires people scan a QR code when entering public buildings to assist with contact tracing.
A note on the NSW Data website dated 12 October 2021 says the business and organisation dataset “has been discontinued”.
“We have identified issues with the integrity of the data with the recent increase in volume of registrations,” it said.
NSW Premier Dominic Perrotet said the privacy commissioner had been notified and that the data was taken down once the government became aware of the issue.
“My understanding is [the privacy commissioner was] satisfied that the matter was resolved and that the information was taken down,” he said.
“It shouldn’t have happened.”
NSW Shadow Customer Service Minister, Yasmin Cately, said it was disappointing that organisations who followed the state’s directions were exposed in this manner
“Businesses that have done the right thing and registered with the NSW government have a right to feel very let down,” she said.
“The NSW Government has a poor track record on cyber security and this is yet another example.”
Indeed, government services have suffered from a series of incidents that included a breach of Service NSW in 2020 which saw the information from over 100,000 people compromised.
Early last year, 250GB of data from Transport for NSW was dumped on the dark web after the department was caught out using a legacy file transfer system that contained a major vulnerability.
Shaun Witherden, a Senior Channel Development Manager at cyber security company Datto, said the latest NSW government incident “highlights the importance of organisations focusing on the resilience of their entire network”.
“This includes scenario planning for instances of human error,” he said.