Service NSW has been hit by an email compromise attack impacting the accounts of 47 staff members and information of an unknown number of citizens.
The breach, first reported by 9News, has been referred to police and government cyber investigators to “identify any customer information that may have been accessed.”
“The data that was illegally accessed was stored in email records,” Service NSW said in a statement on Thursday.
“Customers should be reassured that individual MyServiceNSW Account data has not been compromised.”
Service NSW, renowned as a leader in customer-centric face-to-face and digital services, said a comprehensive investigation into a possible breach was launched on April 22.
While the “initial assessments were not clear on the reach of the attack”, the investigation has subsequently identified that 47 staff members were illegally accessed.
9News reported the compromise occurred sometime in April but that it was only communicated to the relevant Minister last night.
The agency said its focus was now on customers “who were served by one of the 47 team members with the compromised email accounts.”
Forensic specialists have been brought in to perform “deep analysis of the email accounts to identify any personal information that may have been accessed”.
“At this point we don’t believe there has been any risk introduced to customers from transactions performed online and via mobile,” the agency said.
“Service NSW will contact customers who have been affected by the breach as soon as we have the necessary information.”
CEO Damon Rees said internal cyber security teams had stopped the attack and limited the impact of customers and services.
“We are now working as quickly as possible to confirm the scope of this attack on the personal information of our customers,” he said.
“We are now confident the criminal access was limited to the content of those email accounts, which are related to transactions over the phone or over-the-counter at a Service NSW Centre,” he said.
“Cyber security is incredibly important and we’re very sorry that we haven’t been able to successfully protect our customers against this complex attack.
“We are going to do everything we possibly can to help customers who have been affected by this. We’ve established a dedicated team to offer help to affected customers.
“This is a very complex issue and the analysis and investigation are both ongoing.”
Service NSW said both NSW and federal cyber security agencies have been briefed, as well as the NSW Information and Privacy Commission.
While NSW agencies aren’t currently required to report data breaches to affected persons, the government has pledged to introduce a mandatory data breaches notification scheme.
