Tens of hundreds of scanned NSW driver’s licenses and completed tolling see statutory declarations had been left uncovered on an open up Amazon Website Expert services storage instance, but Transport for NSW doesn’t know how the sensitive individual facts finished up in the cloud.
The open up AWS S3 bucket was discovered by Bob Diachenko of Safety Discovery, as part of an investigation into a further facts breach.
“All the documents I observed had been relevant to the NSW spot and there was no indication as to who could possibly be the operator of the facts,” Diachenko told iTnews.
One folder contained 108,535 visuals of the entrance and again of scanned driver’s licences, and a further contained scans of Roadways and Maritime Expert services tolling see statutory declarations, in PDF and JPG structure.
A spokesperson for Transport for NSW explained the company is doing the job with Cyber Safety NSW to look into what it identified as “the alleged facts concern relating to an AWS S3 bucket made up of individual information and facts including driver licences.”
“Original information and facts implies the uncovered AWS S3 bucket is not relevant to Transport for NSW or any federal government program,” the spokesperson explained.
As an alternative, TfNSW recommended an unspecified third-bash could possibly be liable for the facts leak.
“Although it is always essential for licence holders to be privateness knowledgeable when delivering their sensitive individual information and facts to other parties, Transport for NSW recognises that some third parties routinely ask for driver licence information and facts as part of their business enterprise techniques,” the spokesperson explained.
“Transport for NSW’s procedures and treatments recognise the will need for circumstance-by-circumstance consideration for shoppers thought to be impacted by id fraud and wherever required issues new driver license/image playing cards as ideal.”
Diachenko shared a listing listing that showed information with day stamps from September and October 2018.
iTnews also sighted a NSW driver’s licence, and a completed tolling see statutory declaration kind for a organization, with details these types of as birth day and cellular phone number of the particular person who had loaded it in.
Diachenko contacted Troy Hunt of facts breach notification services Have I Been Pwned, who in switch alerted the Australian Cyber Safety Centre.
Hunt and ACSC contacted AWS, Diachenko explained, and the open up instance was shut an hour or two immediately after the report.