Will Bottom, 23, was one of the thousands of people who had their personal information stolen after hackers breached Service NSW data.

The department confirmed the information of about 103,000 people was compromised after a targeted phishing attack gave attackers access to its internal email systems between March and April 2020.

While many people were unaffected by the leak, scammers latched onto Mr Bottom’s details which were readily available for criminals online.

“Basically, I logged onto my internet banking one weekend and I noticed there was $19,000 missing. I saw there had been two transactions, one for $9000 and one for $10,000,” he told news.com.au.

“I called up the bank to see what happened. They said it would take a few days to process where it had gone. It ended up being from two over-the-counter withdrawals at separate banks in Eastgardens and Miranda.

“Someone had made a replica of my licence but instead it was their photo, it had my name, my date of birth, my signature.”

He reported the stolen transactions to police in Sydney sparking a whirlwind 12-months of working with detectives and being chased by debt collectors.

After the initial theft, he noticed the scammer took another $500 out of his account and bought KFC some weeks later.

While he worked with the bank and the police to find the culprit and return his cash, the scammers kept using Mr Bottom‘s identity to commit crimes.

“They were frauding people, purchasing cars in my name. Every second day I had a call from the police asking if I had bought a car. Then they’d call and ask about a dodgy cheque that bounced,” he said.

“I was getting these toll notices and speeding fines. I own a car and a scooter, when this was all over I went to the Roads and Maritime and there were all these vehicles registered to my name that weren’t mine.

“Then I started getting calls from debt collectors, the scammers had taken out loans and not repaid. The debt collectors were calling me so much I went back to the police to make another complaint.”

In a fortunate instance for the 2GB traffic reporter, his scammer was eventually caught on the Central Coast after receiving a traffic infringement.

However, the impact of the scammers has him concerned for his future.

“In the end, it was a complete identity fraud, they call it identity takeover. I couldn’t do anything, they were completely in control,” he said.

“I am worried in the future about how this will affect my credit score and things like that if I want to buy a house.”

Personal details for as little as $20

Dark web marketplaces are offering personal information for small fees with the number of hackers accessing the information on the rise.

The Office of the Australian Information Commissioner found data breaches rose by 6 per cent in the second half of 2021.

Contact details are most commonly stolen, then personal information such as date of birth and passport, closely followed by bank and credit cards.

Zirilio cybersecurity expert Lawrence Patrick told news.com.au most people don’t realise where their information is and how valuable it is to criminals.

“Personal data is most commonly stolen through phishing – a process where hackers trick people into giving them access to a company’s customer database and then steal files containing the personal details of thousands of victims,” he said.

“Once the data is stolen, hackers sort the information found into what is most valuable including details such as names, emails, passwords, personal identifiers, phone numbers and addresses.

“The data is then repackaged and sold to other hackers on the dark web on marketplace websites at a price of anywhere from $20 to $4500, depending on the type of personal details. “Healthcare records are the most prized though, and they regularly sell for $400 or more per person.”

Mr Patrick added there is often a significant wait from when the hackers access the information to when the company or organisation is aware of the breach.

“Most of the data appearing on the dark web appears to be from hacks of large companies, which shows how important it is that institutions and companies invest in their cybersecurity to protect their customers,” he said.

Service NSW data breach

A top NSW Police official said he believed cybercriminals with “malicious intent” were behind the breach that stole information from Service NSW.

Deputy Commissioner for Investigations and Counter-Terrorism David Hudson said last year officers had a “fairly good handle” on what happened and the investigation would progress pending the return of some information from the Australian Federal Police.

“We believe there was malicious intent, which would make it a cybercrime,” he said.

More Coverage

‘Catfish’ warning: How dark web sex offender accounts target our kids

Thomas Chamberlin

Puzzling find lands alleged dark web dealer behind bars

Cydonee Mardon

“Some data breaches are caused by human error. Certainly wasn‘t the case in this – it was malicious actors.”

Service NSW chief executive Damon Rees last year told a parliamentary hearing into the breach, the agency had been unable to reach more than a third of the 103,000 people who had their data compromised in the March 2020 cyber attack.

Mr Rees said the “unstructured nature” of the data that hackers gained access to meant that it was difficult to identify exactly who had been affected and how to contact them.