A top NSW bureaucrat has revealed up to 30,000 residents are unaware their private information was compromised in a massive hacking incident last year.
Service NSW chief Damon Rees told a parliamentary inquiry into cybersecurity his team had only been able to reach between 70 and 80 per cent of the 104,000 people whose data was compromised.
“Not all of those individuals we’ve been able to identify have contact information available,” Mr Rees said on Wednesday.
He also revealed the agency still had not stopped the practice of emailing personal data to other agencies, even though that method was found to have contributed to making the hack possible.
Mr Rees said the “unstructured” nature of the data meant Service NSW hadn’t been able to reach everyone who was affected.
“The method of notification in order to not generate risk for the public is registered person-to-person mail, which relies on us having a current, physical mailing address for the individual,” he said.
He said Service NSW had obtained a privacy law exemption from the Information and Privacy Commission to obtain mailing addresses from Transport NSW.
He said the agency was confident it knew the number of people affected, even if it hadn’t been able to get in touch with all of them.
A high-level NSW police official, who also testified in front of the committee, said an investigation into the March 2020 hacking incident was ongoing.
Deputy Commissioner for Investigations and Counter Terrorism David Hudson said police had a “fairly good handle” on what happened and the investigation would progress pending the return of some information from the Australian Federal Police.
“We believe there was malicious intent, which would make it a cybercrime,” he said.
“Some data breaches are caused by human error. Certainly wasn’t the case in this — it was malicious actors.”
The hacking incident was an embarrassment for Service NSW, which was established in 2013 and touted as a “one-stop shop” for government services. It also refers to NSW citizens as “customers”.
In the eight years since its creation, staff have increased from 24 to 3981, while the number of client agencies it cooperates with have ballooned from three to 36.
Service NSW handles information on everything from bushfire relief and traffic fines, to contact tracing data and COVID-19 test results.
The agency’s handling of personal data was savaged in a December 2020 special report by the NSW Auditor-General.
It found the hack did little to change the unsafe and outdated methods Service NSW used to handle sensitive information.
One area of criticism was the habit of some staffers to email personal data to partner agencies, a practice that Auditor-General Margaret Crawford described as “one of the processes that contributed to the March 2020 data breach.”
In Wednesday’s hearing, the Service NSW chief admitted that practice is still ongoing.
“Right now, yes, there is an ongoing dependency on email,” Mr Rees said.
The data that is still being transferred via email includes sensitive drivers license information, he said.
He said Service NSW had accepted the Auditor-General’s recommendation to change that practice, but added that implementing the change would be ongoing at least “through the course of this year”.
The agency was also grilled on its handling of data collected by the smartphone application mandated for use in contact tracing to stop the spread of coronavirus.
Mr Rees could not name off the top of his head the name of the computer system used to store the contact tracing data, but said it was stored in Australia.
The NSW Privacy Commissioner, who was consulted during the development of the contact tracing app, told the committee the data collected by the app was kept for 28 days and then destroyed.
The data is only furnished to NSW Health on request, Privacy Commissioner Samantha Gavel said.
The fact that the app only collected data when a user actively “checks in” was also brought up as an important privacy protection.
“It’s not following you around in the way a lot of apps do,” Ms Gavel said.