Service NSW unable to reach 39,500 residents whose data was compromised in hack
Nearly 40,000 people are still unaware their private information was stolen by hackers in a massive attack against an email server.
Nearly 40,000 people in NSW are still unaware their private information was compromised in a massive hacking incident last year.
Service NSW chief executive Damon Rees told a parliamentary hearing on Wednesday the agency had been unable to reach more than a third of the 103,000 people who had their data compromised in the March 2020 cyber attack.
Mr Rees said the “unstructured nature” of the data that hackers gained access to meant that it was difficult to identify exactly who had been affected and how to contact them.
“It could be the content of an email, it could be a scan of a handwritten document, it could be a scan of a receipt,” Mr Rees said of the stolen data.
He said the agency decided not to contact those impacted via phone or email, opting instead for posting letters, in order to not create further risk to the hacking victims.
The agency sent a round of targeted messages to victims using secure registered mail, and then sent another round of letters with more general information to those hadn’t been reached.
“If you put all that together, 63,500 customers were ultimately successfully notified out of the 103,000 (that were impacted),” Mr Rees said.
Mr Rees said that because the hackers got access to emails, rather than managing to penetrate a “core system”, the data they got access to was scattered. That made it difficult to be certain of the identity of people mentioned in the emails.
“(It impacted our ability) to correlate that information and recognise, that, you know, the information that looks like it relates to someone called Damon Rees in this email account, and the information that looks like it relates to Damond Rees in that email account, are actually the same Damon Rees,” Mr Rees said.
A top NSW Police official has previously said investigators believed cyber criminals with “malicious intent” were behind the hack.
Deputy Commissioner for Investigations and Counter Terrorism David Hudson said in February police had a “fairly good handle” on what happened and the investigation would progress pending the return of some information from the Australian Federal Police.
“We believe there was malicious intent, which would make it a cybercrime,” he said.
“Some data breaches are caused by human error. Certainly wasn't the case in this — it was malicious actors.”
It wasn‘t immediately clear on Wednesday what the status of that investigation was.
When Mr Rees answered questions about the hack at the same February parliamentary hearing, he said between 20 and 30 per cent of victims were still unaware they were impacted.
By Wednesday‘s figures that percentage would have grown to nearly 38 per cent.
Service NSW was established in 2013 and handles information on everything from bushfire relief and traffic fines, to contact tracing data and COVID-19 test results.
Teen arrested after school set on fire
A 13-year-old girl has been arrested after a school in Geelong was set on fire overnight.
Intensifying to Category 5, Hurricane Milton targets Florida
Intensifying to Category 5, Hurricane Milton targets Florida