Tens of thousands of scanned NSW driver's licenses and completed tolling notice statutory declarations were left exposed on an open Amazon Web Services storage instance, but Transport for NSW doesn't know how the sensitive personal data ended up in the cloud.
The open AWS S3 bucket was found by Bob Diachenko of Security Discovery, as part of an investigation into another data breach.
"All the documents I observed were related to the NSW area and there was no indication as to who might be the owner of the data," Diachenko told iTnews.
One folder contained 108,535 images of the front and back of scanned driver's licences, and another contained scans of Roads and Maritime Services tolling notice statutory declarations, in PDF and JPG format.
A spokesperson for Transport for NSW said the agency is working with Cyber Security NSW to investigate what it called "the alleged data issue relating to an AWS S3 bucket containing personal information including driver licences."
"Initial information indicates the exposed AWS S3 bucket is not related to Transport for NSW or any government system," the spokesperson said.
Instead, TfNSW suggested an unspecified third-party might be responsible for the data leak.
"While it is always important for licence holders to be privacy aware when providing their sensitive personal information to other parties, Transport for NSW recognises that some third parties routinely request driver licence information as part of their business practices," the spokesperson said.
“Transport for NSW’s policies and procedures recognise the need for case-by-case consideration for customers believed to be impacted by identity fraud and where necessary issues new driver license/photo cards as appropriate.”
Diachenko shared a directory listing that showed files with date stamps from September and October 2018.
iTnews also sighted a NSW driver's licence, and a completed tolling notice statutory declaration form for a company, with details such as birth date and phone number of the person who had filled it in.
Diachenko contacted Troy Hunt of data breach notification service Have I Been Pwned, who in turn alerted the Australian Cyber Security Centre.
Hunt and ACSC contacted AWS, Diachenko said, and the open instance was closed an hour or two after the report.