Service NSW has been unable to reach more than half the 104,000 customers who had their personal information stolen in an email compromise attack against 47 staff members last year.
The data breach, which exposed 736GB of data between March and early April 2020, is also now likely to cost up to $35 million to remediate, more than five times as much as first estimated.
In an update on Friday, the one-stop shop for NSW government services said it had been unable to reach approximately 18,500 customers for whom it had sent a notification via registered mail, but that had not signed for it.
The agency has only used registered mail to notify customers to date in a bid to reduce the prospect of scammers impersonating the agency.
“Service NSW has begun a final round of notification for approximately 18,500 customers who haven’t signed for their registered mail about the cyber attack,” it said.
But the agency has also revealed that a further 36,000 people were never contacted because it was unable to source a current residential mailing address, even after working with Transport for NSW.
“There are approximately 36,000 people for whom insufficient information is available to send a safe notification by registered mail,” Service NSW said.
“The risk to these individuals is considered much lower based on the limited amount of data infiltrated.”
Taken together, it means that Service NSW has been unable to contact 54,500 of the 104,000 people impacted by the data breach.
It is far more than the 20,000 customers that CEO Damon Rees last month estimated had not yet been contacted, though at this time the agency was still continuing to receive returns from Australia Post.
“We are still ensuring that all our customer notifications have been successfully received by customer,” he told the state parliament’s cyber security inquiry.
“Indications are, at the moment, that 70 to 80 percent of customers that we have attempted to notify have successfully received them.”
Service NSW is now “working on alternative methods including the MyServiceNSW Account to safely contact customers”.
It has also worked with NSW Births, Deaths and Marriages, as well as Services Australia and the Department of Foreign Affairs, to apply “stronger security measures” to compromised credentials.
Cost climbs to at least $25 million
After initially estimating the cost of the data breach at $7 million in last year’s budget, which it later revised to “in excess of $30 million”, Service NSW now believes it could “be in the range of $25m - $35m”.
It said this includes the cost of notifying customers and forensic analysis, investigations and containment of the attack in the immediate aftermath and the cost of replacement driver’s licences.
The cost also takes into account the dedicated ‘hypercare team’, which consists of 100 Service NSW and Department of Customer Service staff and has supported almost 19,000 calls since September.
“Service NSW is mindful of the expense involved in responding to this incident. Notifying customers individually with tailored information takes time and effort,” Service NSW added.
“Our focus has always been on supporting our customers to protect their personal information.”