Australian government agency offers post-mortem of April security incident

A cyber-attack at Service NSW has breached the personal data of 186,000 customers

A cyber-attack at Australian government agency Service NSW resulted in the personal details of 186,000 customers being compromised, it has been confirmed.

The security incident, which happened in April, was originally discovered to have impacted 47 employees of the governmental information office for New South Wales.

More details of the event have now been released, as Service NSW said personal information has been accessed.

“The investigation, which began in April, engaged forensic specialists to analyze 3.8 million documents in the accounts,” Service NSW CEO Damon Rees said in a statement.

“This rigorous first step surfaced about 500,000 documents which referenced personal information.

According to Rees, the data is made up of documents including handwritten notes and forms, scans, and records of transaction applications.

“Our focus is now on providing the best support for approximately 186,000 customers and staff we’ve identified with personal information in the breach,” he said.

RELATED Australian Cyber Security Centre spotlights most popular cyber-attack techniques

Service NSW said it will notify those affected by mail, with notifications expected to be completed in December.

The agency said it has employed further security measures to protect against this kind of attack.

“Service NSW is among the agencies to benefit from a NSW Government investment of $240 million over three years to further enhance the security of customer information,” the statement reads.

An independent security consultancy is also providing support.

Incident response

When incident was first revealed earlier this year, a number of Australian outlets reported that the data was accessed following a successful phishing campaign.

While Australia’s Privacy and Personal Information Protection Act does not require government agencies to report data breaches to the privacy commissioner or affected individuals, New South Wales has pledged to introduce the requirement.

Service NSW says that relevant state and federal cybersecurity agencies have been briefed on the incident, along with the NSW Information and Privacy Commission.

The Daily Swig has reached out to Service NSW for further comment.

READ MORE Service NSW: Australian government agency hit by cyber-attack