Service NSW still waiting to notify on data breach after four months

Service NSW is still waiting to notify customers impacted by an email compromise attack against 47 staff members more than four months after it occurred.

The breach - which took place during April, but was only disclosed in May - saw sensitive data pertaining to an unknown number of customers illegally accessed through staff email accounts.

Only customers who were served by one of the 47 team members with the compromised email accounts are said to have been impacted.

At the time, Service NSW said it would “contact customers who have been affected by the breach as soon as we have the necessary information”.

But despite attesting “a commitment to keep customers and their data safe during the notification period”, Service NSW has not yet contacted the individuals four months on.

The agency will contact impacted customers via registered post to minimise the risk of scammers defrauding citizens by pretending to be Service NSW.

“Service NSW is in the final stage of personalising the notification letter to identified customers,” the agency said in an update this week.

“This has required a number of steps to sort and review the data to effectively match it to customer contact details.

“The data has included handwritten notes and forms, scans and records of transaction applications. This has contributed to the notification timelines.”

When the notification letter is finally issued, Service NSW said it will be “informative and useful”, explaining the “various support options available”.

The agency also said it has introduced a customer care team dedicated to helping customers identified in the breach, suggesting a large number of affected individuals.

iTnews has asked Service NSW how many customers are impacted.

The agency has similarly “changed a number of security systems to mitigate against future cyber attacks of this nature”.