NSW driver's licence data breach victims still in the dark after three months

Tens of thousands of people who had their NSW driver’s licence details exposed in a misconfigured AWS bucket remain in the dark about the breach after more than three months.

In late August, around 54,000 scanned NSW driver’s licences were discovered online by Bob Diachenko of Security Discovery while he was investigating another data breach.

The more than 108,000 images of the front and back of scanned licences were located in an open S3 instance, which also contained completed tolling notice statutory declarations.

As reported by iTnews, the NSW government was quickly ruled out as the owner of the AWS S3 bucket, with the leak instead blamed on an unspecified third-party.

Cyber Security NSW later confirmed that a commercial entity was responsible, though at that time it had not been provided with information on the identity of the entity by AWS.

AWS is understood to have notified the entity when the S3 bucket was closed after the breach was reported to the Australian Cyber Security Centre in August.

But while inquiries are continuing, iTnews can reveal Cyber Security NSW is still unaware of the entity’s identity or whether the entity's customers have been notified three months on.

“AWS… will not disclose its owner due to contractual obligations with the entity,” Cyber Security NSW said in a statement.

“NSW Government is therefore not aware of the identity of the commercial entity, nor NSW customers that may have been affected by the breach.”

The spokesperson added that Cyber Security NSW is continuing to work with state and federal agencies to determine the entity's identity and ensure customers are notified.

An AWS spokesperson said the company “has complied with a request from the Australian government related to this matter as required under the Privacy Act”.

AWS would not say whether it was aware the entity in question had notified its customers.

The Office of the Australian Information Commissioner would only “confirm that the parties subject to inquiries are commercial entities”.

While there is no requirement to notify if the data breach is not likely to result in serious harm, any delays in this process can leave customers exposed to scams and other risks.

The inabilty of NSW authorities, in particular, to identify the bucket owner also raises questions around whether the government should be able to step in in the event of a serious data breach.

Cyber Security NSW said the government “is willing to help by partnering with the commercial entity to support any impacted customers, including in relation to communications”.

“This would allow those customers to take prompt action to minimise the risk of harm as a result of their personal information being accessed by third parties,” the spokesperson said.