Service NSW piloting secure data transfer after email compromise

Service NSW has begun piloting a series of secure data transfer applications to end its unhealthy reliance on email for sharing sensitive personal information with other government agencies.

But, for now, email remains a main mechanism of transfer, despite the practice being labelled a key factor in last year’s massive email compromise attack in which 736GB of data was exposed.

The data breach, which took place in March 2020, was the result of a malicious phishing campaign that prompted Service NSW employees to enter their credentials into a fake Office 365 login page.

It saw the personal information of around 106,000 customers stolen, though this figure was originally said to be 186,000.

Fronting the parliamentary inquiry into the government’s handling of cyber security, CEO Damon Rees said the one-stop shop was in the process of finding a secure alternative for transferring data.

“We have a number of technologies that we’re looking at there and piloting at the moment,” Rees said on Wednesday.

“We need to be very careful that when we make that change, we make it to a more secure alternative and we get the processes and the human elements right, as well as the technology.”

A secure method of transferring personal information between Service NSW and client agencies was a key recommendation in a damning December audit into the agency’s data handling practice.

The audit called on Service NSW to take urgent action to address this after concluding that it was “not effectively handling personal customer and business information to ensure its privacy”.

Paper forms containing names, dates of birth or phone numbers, as well as scans of physical driver’s licences, are some of the typical types of information sent to other agencies using email.

While Service NSW is yet to find a secure alternative for the transfer of information, Rees said that the agency is now automatically deleting emails that are more than two months old.

“One of the actions that we took last year was to remove all email held in the accounts of customer services staff that was over 60 days old,” he said.

“That one action on its own reduced the amount of email held in those mailboxes by about 92 percent, and we’ve got further controls on top of that searching for specific points of information and removing them in a faster timeframe.”

Rees also said that the Office 365 platform has been strengthened, and that he hoped to eventually remove manual handling altogether through a “fundamental digitisation of those processes”.

“We are already working towards, and through the course of this year, we will – if not eliminate – then great reduce the dependency on email for handling information,” Rees said.

A criminal investigation into the breach is still ongoing, with NSW Police currently waiting on referrals from the Australian Federal Police.

Rees added that the “number of people that have requested compensation or reimbursement is low – it’s in the hundreds.”

Email alternative was Accellion

The committee also heard that the impact of the Accellion file transfer appliance (FTA) hack will likely be felt beyond just NSW Health in the state government.

NSW chief cyber security officer Tony Chapman told the inquiry that “agencies across NSW were, in fact, using Accellion as an alternative to email” for securely transferring data.

Cyber Security NSW is currently “coordinating the whole-of-government response [to the breach] with potentially impacted agencies”.

It is working with undisclosed “forensic specialists, as well as Accellion, to determine the extent of the potential impact”, though Chapman wouldn’t say what other agencies may be at risk.

“At this stage, investigations are undergoing. It’s a complex matter, involving forensic work with external specialist providers to government,” he said.