Share this article on:
Thousands of Service NSW customers are being informed that their data may have been compromised last month, after the government agency exposed it following a website update.
According to Greg Wells, Service NSW’s chief executive, the incident occurred on 20 March and exposed the personal information of 3,700 customers who logged in between 1:20pm and 2:54pm.
This led to customer data being visible to other customers, with data potentially including names, addresses, mobile numbers, license numbers, vehicle registration and insurance and the details of a customer’s children.
> Notification of a privacy incident
> ... Service NSW believes that any risk of harm presented by this incident is very low
data exposed: pic.twitter.com/QSl5RwBCM7— Richard Nelson (@wabzqem) April 3, 2023
The email to those affected confirms that the incident “was not a cyber attack and Service NSW believes that any risk of harm presented by this incident is very low” and has said that the incident was “isolated to the website only” and that users of the mobile app are safe.
“Since becoming aware of the incident, Service NSW has undertaken a detailed investigation to understand the scope of the incident and the risks arising from it,” added Wells.
“In this case, I have reason to believe it was an isolated incident that only impacted customers that were logged in at the time.”
The response to the breach, which has been confirmed as an error on Service NSW’s part by the government agency, is already being criticised by those affected.
The email tells affected customers that they need not take any immediate action as the personal details were “only available to another logged-in individual for a short period of time and was not searchable”.
One Twitter user said that this part was of particular frustration, responding to Service NSW, asking, “if your AWS creds were exposed publicly for a ‘short period of time’, non-searchable, would you be taking no action?”
This part bothers me. The PII here is significant. @ServiceNSW if your AWS creds were exposed publicly for a “short period of time”, non-searchable, would you be taking no action? pic.twitter.com/wIgcj0tE7K
— Richard Nelson (@wabzqem) April 3, 2023
Service NSW has begun a review of the incident to prevent similar issues from arising in the future. Furthermore, the agency has advised customers that they can contact ID Support NSW for counselling and help restore their identity.
The incident occurred only days after the federal government said that it was looking to introduce a digital version of the Medicare card to the Service NSW app.
Users of the MyGov app have been able to use the digital card since Thursday (30 March), with the government saying that having the digital version provides additional security while also making it more accessible.
Like other digital wallet items on the MyGov app, the Medicare card has verification that the card is real, with a QR code and hologram.