Nearly 40,000 people whose data was compromised in a massive Service NSW data breach last year will never receive official notification about the incident because of the type of data involved and the agency’s policy to deliver “personalised” notices through the post.
In a NSW Budget Estimates hearing on Wednesday, officials from Service NSW confirmed about 103,000 people’s information was compromised after a targeted phishing attack gave attackers access to its internal email systems between March and April last year.
But more than a year later, nearly 40 per cent of people impacted have not been contacted.
The agency’s chief executive Damon Rees said Service NSW had successfully contacted 63,500 of the people who had their data compromised. This was done through the post because Service NSW had advice that other forms of contact like phone or email would create further risks and because letters offered more “personalised” advice.
“[Registered letters] also effectively meant that a customer was signing for their own notification, and therefore we were able to provide a greater level of more personalised advice there,” Mr Rees said.
Letters were primarily sent via registered post, requiring the affected person to prove their identity and sign for the letter. However, thousands of letters were returned and Service NSW conducted a round of data matching with Transport NSW to obtain more current addresses and tried again.
Mr Rees said ultimately about 18,500 letters were unable to be delivered with registered post. A final round saw new non-registered letters sent to this group advising them to contact the agency.
“We weren’t able to personalise those final round mails in the same way,” Mr Rees said.
“But if you put all that together, 63,500 customers were ultimately successfully notified out of the 103,000.”
The Service NSW chief said the nature of the data involved in the breach also played a “heavy role” in the agency’s ability to identify people impacted.
Because the breach came through email accounts rather than a core system, it was difficult for the agency to correlate the information which had been compromised with individual people, according to Mr Rees.
“That meant the information that was extracted was highly unstructured in its nature. So it could be content within an email, it could be a scan of a handwritten document, it could be a scan of a receipt,” he said.
“So the unstructured nature of that meant that actually the level of information that was able to be extracted and our ability to correlate that information and recognise [certain individuals was difficult].”
A damming NSW parliamentary inquiry and report into government cyber security triggered by the incident recommended an overhaul of cyber security strategy and policies, including formal notification procedures for data breaches and a stronger mandate for Cyber Security NSW.
The government is yet to respond to report but launched a new cyber strategy in May. Department of Customer Service officials were unable to answer several questions on the report’s recommendations at the Budget Estimates hearing on Wednesday, taking many on notice and confirming a formal government response to the report is expected soon.
Do you know more? Contact James Riley via Email.