Service NSW deploys secure data transfer app after phishing attack

Service NSW has settled on the secure data transfer application that will replace email for sharing sensitive personal information at service centres following last year’s phishing attack.

iTnews can reveal the solution has now been rolled out to almost half of all service centres across the state after being developed in-house by the one-stop shop for NSW government services.

The solution will allow frontline staff to transfer information to other government agencies such as NSW Births, Deaths and Marriages and NSW Fair Trading.

The need for such a solution came to a head in March 2020, when an email compromise attack against 47 Service NSW staff members exposed the personal information of 103,000 customers.

Around 3.8 million documents, including handwritten notes, scans of driver’s licences and records of transactions, were stolen in an incident that has now cost more than $25 million to remediate.

In the absence of alternative methods of information sharing, service centre staff would routinely transfer documents containing personal information to staff in other NSW government agencies using email.

It is a practice that Service NSW itself had identified as a risk at least a year prior, as revealed in a damning audit last year that found the agency was “not effectively handling personal… information”.

The audit called on the agency to take urgent action to address this, which it did by piloting several secure data transfer applications over the first half of 2021 to allow staff to transfer information securely.

In answers to questions on notice from budget estimates, Service NSW last month revealed it had begun the process of rolling out a new transfer solution to its service centre network.

A spokesperson told iTnews that after assessing “several delivery options” following the six-month pilot, the agency selected a solution that was developed in-house and built on a Microsoft stack.

“The solution has been developed by a dedicated Service NSW team. It uses Microsoft products including Power Apps and SharePoint,” the spokesperson said.

“The solution provides an improved method to protect customer information and replaces the use of email to transfer scanned documents.

At present, 48 service centres across the state have begun using the solution, all but four of which went live in the past month.

The first four service centres – which were involved in the six-month pilot – used the solution to transfer information to Department of Customer Service partner agencies for 280 transactions.

The spokesperson said the full network rollout to all 107 service centres is expected to be completed by January.

Since the email compromise attack, Service NSW has also introduced controls to automatically delete emails that are more than 60 days old.

Earlier this year, CEO Damon Rees said this had singlehandedly reduced the amount of emails in mailboxes by 92 percent since June 2020.

Service NSW also introduced multi-factor authentication across 95 percent of its externally-facing IT systems as part of a $5 million cyber security upgrade.