Transport for NSW has found a greater number of customers and employees had their data compromised in the Accellion data breach last year than previously thought, leading it to issue a second round of notifications.
In February 2021, the agency confirmed it was one of a number of large organisations worldwide to fall victim to the attack against Accellion’s 20-year-old File Transfer Appliance, which saw “some TfNSW information” stolen.
It did not reveal what types of data had been caught up in the breach at the time, pending an investigation with whole-of-government cyber security office, Cyber Security NSW, to understand the full impact.
But after completing the investigation, TfNSW has now confirmed that both customer and employee data had been accessed in the data breach and revised up the number of impacted individuals.
“Following final assurance investigations, TfSNW has identified additional customers and employees who were impacted,” it said last month without revealing how many more people had had their personal data compromised.
A spokesperson told iTnews the agency began “notifying the additional impacted parties in mid-December 2021”, following on from an initial round of notifications in the first half of 2021, and expected the process to continue until early this year.
Notifications were delivered to customers and employees using email or registered mail, depending on what was available, with a dedicated case officer assigned to offer guidance and support to impacted parties.
The spokesperson would not say how many additional customers and employees whose data had been compromised had been uncovered or reveal the total number of individuals impacted by the breach when asked by iTnews.
Two exploits formed the basis for the attack on Accellion’s File Transfer Appliance: one on December 16 2020 and another in January 20 2021, both of which were patched by the company within a week.
But in that time, a number of organisations were impacted in Australia, including NSW Health, the Australian Securities and Investments Commission, multicultural broadcaster SBS and law firm Allens.
A post-incident report commissioned by the Reserve Bank of New Zealand - another high-profile victim - last year found Accellion’s vulnerability notification system was malfunctioning at the time of the incident, leading to a delay in notifying customers.
In answers to questions on notice from budget estimates last year, TfNSW said it became aware that its Accellion servers had been breached on January 21 2021.