Documents obtained by The Australian show Service NSW ­decided not to inform many ­vic­tims whose data was stolen by criminals during a phishing attack on the department in April 2020, despite acknowledging the theft of their personal information could cause them serious harm.

In response to questions from The Australian, Service NSW ­admitted it did not try to count the number of victims it designated as “Category Five” customers, even though a confidential cabinet briefing states “the risk of serious harm cannot be excluded because of the size and unstructured nature of the data set”.

Service NSW announced last year that 186,000 customers (later revised down to 103,000) had ­personal data stolen after hackers gained access to the email accounts of 47 employees.

The agency had been specifically warned by the Auditor-General two years before not to keep customers’ private information on employee email accounts.

The data breach has cost taxpayers $35m but only 41 people have so far been compensated, to a total of $23,905, Service NSW CEO Damon Rees confirmed.

Fewer than half of those affected have been notified.

Service NSW separated customers into five categories based on their risk of harm as a result of the breach, based on expert and police advice. In the August cabinet briefing obtained under freedom of information laws, Service NSW states: “Category Five has been designed so that customers in this category have little or no risk.”

Private companies have a legal obligation to report data breaches but the NSW government is exempt from the requirement.

Customers whose information was stolen have told The Australian of an increase in suspicious and fraudulent activity, including identity theft, hacking of business websites, an increase in phishing emails, as well as myriad psychological and financial costs.

One small business owner who wishes to be known only as Jane started noticing strange activity and technical problems on her computer last April, months before being informed of the breach.

Jane hired a website technician who told her the computer had been hacked multiple times. She lost a week of income from her fashion and style business, as well as half her website’s organic traffic of 250,000 hits per month.

The next week, Jane received two emails addressed to her by name. In the first, the senders informed her they had hacked her computer and were watching her via its webcam. The next day, they told her they were watching her from outside her house.

Two months later — six months after the initial breach — Service NSW sent her a letter to inform her that her passport, Medicare, driver’s licence, marriage certificate, child’s birth certificate, email and phone number had all been stolen in the breach.

“I was livid,” she said. “I had all my private information stolen and I didn’t know for six months. I actually thought it was a joke at first. I thought it was a fake letter. It was so unbelievable that there was that much data stolen.

“The first thing they asked me was whether I was planning to seek compensation. I cannot tell you how angry I was. I decided not to (seek compensation) because I thought that was how they were planning to make the problem go away.”

The case manager assured her it had been reported to NSW Police, but when Jane checked, the police had no record of the case.

“I check my credit rating every month to see no applications have been made. I will have to do this for the rest of my life. This person or group has everything about me.

“The concern with my case, is that whoever has my data is using it.”

Labor MP Sophie Cotsis is calling for a mandatory reporting law for government agencies to be legislated in NSW after she was also caught up in the breach.

“It is deeply concerning that the standards that apply to the private sector do not apply to the NSW Government,” Ms Cotsis said.

“Imagine, if a top Australian company notified their customers that their private information had been accessed by criminals a year after the event.”

As of April, Service NSW continues to send personal information via email and has not updated its protocols.

More related stories

Politics

Ley battles against the opposition leader curse

Of the seven politicians before Sussan Ley to take on the leadership of a party defeated at a recent election, only one – Anthony Albanese – has gone on to become prime minister.

Read more

Politics

PM backs away from joining France in recognising Palestine as state

Anthony Albanese suggested there first needed to be a ‘structure’ for a Palestinian state, saying he wouldn’t support any country with Hamas at the heart of it, while also slamming the ‘completely indefensible’ civilian death toll in Gaza.

Read more