Service NSW finds cyber attack impacted 80,000 fewer customers

Service NSW has revised down the number of customers impacted by an email compromise attack against 47 staff members earlier this year, but not before wrongly notifying 25,000 people.

In September, the one-stop shop for NSW government services revealed – after a four-month long investigation – that 186,000 customers had their information stolen by unknown attackers.

The breach, which took place in March, exposed 736GB of data, encompassing 3.8 million documents such as handwritten notes, forms, scans and records of transaction applications.

But in an update issued on Wednesday, Service NSW said that further analysis of the attack had revealed that far fewer customers were impacted than previously thought.

“Ongoing analysis into the methods used in the cyber attack has found significantly fewer customers were affected than first thought,” it said in a statement.

“The number of customers who will need to be contacted has been revised accordingly.”

The Sydney Morning Herald is reporting that the actual figure is closer to 106,000 after a portion of the emails in the 47 affected accounts were ruled out by Service NSW.

The estimation error led to around 25,000 people being wrongly notified as having been a victim of the breach, just over 3500 of whom have requested a new driver’s licence.

A spokesperson for Customer Service Minister Victor Dominello confirmed the figures, which come ahead of the release of a review of the breach by the state’s auditor-general on Friday.

The review, which will assess Service NSW’ handling of sensitive customer information, was commissioned by Dominello in the aftermath of the data breach.

It comes after another audit that urged the government to improve its cyber security for a third straight year put the cost of the breaches at around $5 million higher than the $7 million reported.

“During 2019-20, Service NSW and DCS [the Department of Customer Service] incurred $4.8 million to investigate and remediate cyber security incidents,” the audit said.

“Service NSW also disclosed a contingent liability of $7.0 million in 2019-20 financial statements for potential related legal and investigative costs in 2020-21.”

It also indicated that “two significant cyber security breaches” took place as a result of the email compromise in March.

Service NSW has apologised for the “disruption” caused by the error and is now sending out new notification letters to “those customers who did receive information that will need to be updated”.

“The Service NSW hypercare team will work closely with customers affected by these changes,” it said.

In response to the breach, Service NSW introduced multi-factor authentication across email and a number of other systems as part of $5 million “cyber security upgrade program”.

The program is expected to ensure that Service NSW systems, including any information processed, stored or communicated, is protected.