NSW privacy watchdog asked to investigate driver's licence data leak

The NSW privacy watchdog has been asked to investigate how more than 54,000 scanned driver’s licences were left exposed in an open Amazon Web Services storage instance.

NSW Labor called for the investigation over the weekend after iTnews revealed the mystery data leak, which also exposed tolling notice statutory declarations.

The open AWS S3 bucket, containing 108,535 images of the front and back of scanned driver's licences, was found by Bob Diachenko of Security Discovery.

While Transport for NSW and Cyber Security NSW are continuing to investigate the instance, which has since been closed, an unspecified third-party is understood to be responsible.

"Initial information indicates the exposed AWS S3 bucket is not related to Transport for NSW or any government system," the spokesperson told iTnews last week.

But Labor’s public services spokesperson Sophie Cotsis has nevertheless “requested an investigation ... by the Information and Privacy Commissioners and the NSW Auditor-General”.

She has also asked the government to explain how the leak could happen and “notify people whose details have been exposed”.

“We also expect this matter will be examined by a Parliamentary Inquiry into Cyber Security which was established earlier this month,” she added.

A copy of the letter sighted by iTnews asks that the NSW Auditor-General expand the scope of its current performance audit of cyber security to consider the mystery data leak.

The NSW Auditor-General is already considering an audit around Service NSW’s handling of sensitive customer information at the request of Customer Service Minister Victor Dominello. 

The request was made shortly after Service NSW suffered an email compromise attack that impacted the accounts of staff members and information of an unknown number of citizens.

Cotsis also lamented NSW’s lack of a mandatory data breach notification scheme for state government agencies.

While the government pledged to introduce such a scheme in March, making it the first state or territory jurisdiction to do so, there has been no movement since then. 

“There is no mandatory notification requirement for data breaches in NSW. That’s not good enough,” she said.

“Public sector agencies should be required to notify people who have been affected by serious privacy breaches.

“Labor introduced a private member’s bill to achieve this, however the NSW Government voted it down in August 2019.”