Service NSW has been unable to contact between 20% and 30% of the 104,000 people whose data was compromised in a breach last March, a Parliamentary inquiry was told.
The organisation, described as the one-stop shop for government services in New South Wales, has used registered mail to contact the affected people to avoid generating risk, Service NSW chief Damon Rees said.That method relies on the agency having a current postal address for them, he added.
“Not all of those individuals we’ve been able to identify have contact information available,” Rees was quoted as saying by the news.com.au news website.
He also said the organisation was confident it knew the number of people affected. A 30% shortfall in notifications would give 31,200 people unaware their data was breached.
Service NSW was last March hit by an email compromise attack that exposed a staggering 736GB of data from the accounts of 47 staff members. The phishing campaign was understood to have mimicked an Office 365 warning email, prompting employees to visit a fake login page and enter their details.
Service NSW’s handling of information was subsequently criticised in a report issued last December by the state’s Auditor-General Margaret Crawford who said staff emailing personal data to partner agencies contributed to the breach.
At the 3 February Parliamentary hearing, Rees admitted that practice continues, such as for drivers’ licence information.
Service NSW has accepted the Auditor-General’s recommendation to alter its methods, but Rees said implementing change would last at least throughout this year.
Deputy Commissioner for Investigations and Counter Terrorism David Hudson told the inquiry a police investigation into the hack is ongoing and they have a “fairly good handle” on what happened.
“We believe there was malicious intent, which would make it a cybercrime. Some data breaches are caused by human error. Certainly wasn’t the case in this – it was malicious actors.”