Service NSW has confirmed that the personal data of 186,000 customers and staff were leaked after a cyber attack earlier this year, in which 47 employees had their email accounts compromised.
A four-month investigation, which began in April, concluded that roughly 3.8 million documents had to be analysed to assess the severity of any possible breaches.
“This rigorous first step surfaced about 500,000 documents which referenced personal information,” Service NSW chief executive Damon Rees said.
“The data is made up of documents such as handwritten notes and forms, scans, and records of transaction applications.”
The total size of the breach was 738 gigabytes of data, but not all of that was personal information, a spokesperson for Service NSW said.
There is no evidence that individual MyServiceNSW account data or Service NSW databases were compromised.
“The cyber incident was a criminal attack,” Service NSW said in a statement.
“Cyber attacks occur daily, and we are often able to intercept them. On this occasion, we couldn’t stop the attack.”
Customers who have been identified as “at-risk” will be notified by mail, which will include instructions on how to get support. The department said it “will never call or email a customer out of the blue requesting customer information about this or any other data breach”.
The mailing process is expected to be concluded by December.
“We are sorry that customers’ information was taken in this way,” Mr Rees said.
“Our focus is now on providing the best support for approximately 186,000 customers and staff we’ve identified with personal information in the breach.
Labor’s shadow minister for public services, Sophie Cotsis, said that Minister for Customer Service Victor Dominelllo needed to face the public after the breach.
“Under Mr Dominello’s watch cybercriminals have broken into Service NSW and may have stolen people’s birth certificates, credit card details, medical records, financial information and even sensitive legal enforcement information”, she said.
“Minister Dominello and the Premier must explain and account for why they have failed to secure and protect sensitive information from cybercriminals”.
The department is now working with NSW Police to assess potential lines of inquiry about the attack, and is providing regular briefings to Cyber Security NSW and the Information and Privacy Commissioner.
It said it has also accelerated cyber security plans and the modernisation of legacy business processes, and has brought in cyber support community service IDCARE to provide support.
“The approach Service NSW has taken will set a new benchmark on what proactive protections can be put in place from an impacted person perspective, and it provides a road map for treating individual risk,” IDCARE managing director Professor David Lacey said.
In June, the Herald reported that the NSW government was warned in late 2019 to improve its cyber security urgently in a report that found almost half of its agencies had no recommended strategies in place to prevent attacks.
The was after it was revealed that the state had been the target of a wave of sophisticated, foreign-actor data breaches, prompting Prime Minister Scott Morrison to warn the nation to brace for further incursions.
Trump Biden 2020
Our weekly newsletter will deliver expert analysis of the race to the White House from our US correspondent Matthew Knott. Sign up for The Sydney Morning Herald‘s newsletter here, The Age‘s here, Brisbane Times‘ here and WAtoday‘s here.
Matt Bungard is a journalist at The Sydney Morning Herald.