Thousands of NSW driver’s licenses exposed online in a data breach

Last week, tens of thousands of NSW driver’s licenses were left exposed online. The breach was accidentally discovered by Bob Diachenko – a Ukrainian security consultant – who was investigating another data breach.

According to him the storage folder was easily discoverable and contained the scanned images of NSW licences – both back-and-front sides – along with tolling notices hosted on Amazon’s cloud service.

3rd party breach not Transport for NSW….Names and addresses of NSW motorists left exposed by driver’s licence data breach#TheDigitalCoach #AWS #CloudComputing #CyberSecurityhttps://t.co/6afHt6TjVA

— Paul Colmer #Cloud 🎸☁️🛰️🚀🇦🇺 (@DigitalColmer) September 1, 2020

About 54,000 license images were inside the directory and documents revealed names, addresses, date of birth, and photos of drivers. Diachenko labelled this information a ‘dangerous exposure’.

It’s not clear for how long the files had been accessible online but the way they were unprotected and easily available, they would have been accessed by con artists already. However, transport for NSW is yet to notify the drivers whose information was accidentally left exposed on the internet.

The spokeswoman for Transport for NSW stated that the collection of driver’s license was not related to any government system. And the organisation is working with Cyber Security NSW for investigations on the data breach and the Amazon Web Services S3 bucket containing personal data of drivers.

A spokeswoman elaborated,

“The breach is not associated with an NSW Government agency or any NSW Government system or process…The Privacy Commissioner understands that a commercial business, unconnected to the NSW Government, was responsible for the breach.”

The Australian Cyber Security Center has been alerted and they ensured that the cache was taken offline after contact with Amazon.