Service NSW has revealed that hackers behind an email compromise attack against 47 staff members earlier this year stole 738GB of data, encompassing 3.8 million documents.
In an update on Monday, the one-stop-shop for NSW government services confirmed the data loss, which included the personal information of 186,000 customers.
The breach, which took place during April, impacted customers served by one of the 47 team members that had their email accounts compromised.
Data included handwritten notes and forms, scans and records of transaction applications.
As of last week, however, Service NSW was still waiting to notify affected customers more than four months after the breach took place, suggesting a large number of affected individuals.
Service NSW did not respond to iTnews' questions last week on how many customers were impacted.
But on Monday, the agency said it had now reached the “final stages of analysis into the cyber attack” and was “working to notify customers who had personal information in the breach”.
“The investigation has taken four months and required a highly technical approach to identify the exact amount of customer information in the 3.8 million documents (738 gigabytes of data) stolen from the email accounts,” Service NSW said in an update.
“This rigorous first step surfaced about 500,000 documents which referenced personal information.
“We are now able to focus on providing the best advice for approximately 186,000 customers we’ve identified with data in the breach.”
Service NSW labelled the email compromise as a “criminal attack” that was now the subject of a “NSW Police investigation”.
“The cyber incident was a criminal attack. Cyber attacks occur daily, and we are often able to intercept them. On this occasion we couldn’t stop the attack,” it said.
In response to the breach, Service NSW has “accelerated [its] cyber security plans and the modernisation of legacy business process”.
The NSW Auditor-General is also reviewing Service NSW’s “cyber security defences, practices, systems and education” at Customer Service minister Victor Dominello’s request.
Customers impacted by the breach will be notified using “personalised letters” that offer bespoke support services, “including individual case managers for complex circumstances”.
“Customers at risk will be notified by person-to-person registered Australia Post which they’ll have to show photo ID and sign for,” Service NSW said.
“The letter will be personalised and include important information about the specific individual data accessed during the breach.
“They will be given clear steps to resolve any issues plus an individual case manager if needed.”
Labor's public services spokesperson Sophie Cotsis has called on Dominello to publicly explain and account for why the government has “failed to secure and protect sensitive information from cyber criminals”.
“Under Mr Dominello's watch cyber criminals have broken into Service NSW and may have stolen people's birth certificates, credit card details, medical records, financial information and even sensitive legal enforcement information,” she said in a statement.
Updated 4:45pm to include Labor statement