Data breach exposes tens of thousands of licences

More than 50,000 motorists in New South Wales have had sensitive information from their licences exposed through an unsecured cloud storage site.

The storage folder, which has been left vulnerable on Amazon’s cloud service, contains back-and-front scans of thousands of licences and tolling notices.

[…Continued]

3 comments
Personal details left vulnerable. Photo: SLD

MASS DATA BREACH

Transport for NSW is yet to alert tens of thousands of people whose full driver’s licence details were ‘mistakenly left exposed’ in an open cloud storage.

The cache was discovered last week by Ukrainian security consultant, Bob Diachenko, who stumbled upon the directory while investigating another data breach.

According to reports, the total number of images inside the directory was 108,535, or about 54,000 licences. Currently, there is no mandatory notification requirement for data breaches in NSW. 

This is quite shocking given the documents revealed names, photos, dates of birth and addresses of drivers, which Mr Diachenko labelled a “dangerous exposure”.

It isn’t clear how long the files had been accessible online, but given how unprotected it was, it probably had been viewed by “malicious actors” who could have made a copy of the files already.

“A malicious actor can impersonate somebody and apply for credit, or do something on behalf of that person,” he said.

“For example, you take one licence and connect the dots with one owner of this licence, with his or her emails … and you’ve got more information on that person.

Personal information like this is commonly traded through online black markets once it made its way into the hands of a criminal.

The office of the NSW Privacy Commissioner, which is delegated to monitor data breaches within state departments, said the data appeared to be linked to an unnamed private business.

“The NSW Privacy Commissioner is aware of the breach and has received a preliminary briefing on the breach from Cyber Security NSW,” a spokeswoman said.

Amazon is refusing to disclose the identity of the owner of the open cloud storage, the NSW government has also revealed. Very suspicious, indeed.

The breach comes just nine months after digital licenses were launched in New South Wales. Could this be linked?

DIGITAL LICENCES

In November 2019, New South Wales citizens were given the option to display their driver’s licences on their phones and use it as a form of identification at pubs and clubs.

The Service NSW app enables people to display their ID on iPhone and Android smartphones, and sparked controversy when first announced across the state last year.

The app reportedly has a number of ‘security safeguards’ (trackers) built into it that make it easier for authorities to verify a card’s validity, including a emblem hologram that moves when tilted.

It also has the ability to scan a QR code to verify that the name displayed on the screen matches the name that is on the database at Service NSW.

Other licences that can be used with the Service NSW app include those for operating a boat, RSA (Responsible Service of Alcohol) and RCG (Responsible Conduct of Gambling) permits. Fishing licences and working with children cards also can be stored here.

When the program was released, Services NSW said it had “built strong partnerships with cyber security and identity theft experts” to protect user data and information, with “comprehensive security measures” they say are on par with those used for internet banking.

Not even 12 months on and now we have a breach. That has gone swell, hasn’t it?

It should come as a surprise, as the program was riddled from the start. Those who raced to get their digital licences were met with a app that wasn’t working, with users met with an error message.

The federal government is currently trialing technology to “simplify how people identify themselves” when using its services, after pouring $92 million into the scheme in the May 2019 budget.

In addition, the project has cost the state government $14.65m to date and is part of a greater push to replace all existing forms of identification with digital replications.

Given this new development, and countless examples beforehand, just how safe will the personal information of Australians be when all forms of identification become digital?

THE PUSH FOR DIGITAL ID

Australia is helping to lead an increasing transition to digital identification, with other states already offering the option of holding a digital driver’s licence before NSW.

This new model follows programs such as Digital iD and GovPass, which are beginning to take significant shape on a national level. In the future, the country’s banks and other regulated private sector entities will also be added to ensure the identity model is a whole-of-economy solution.

The Digital Transformation Agency (DTA) has spent more than $200 million in the push to make identities and individuals more monitored, observable and accountable.

DTA’s Trusted Digital Identification Framework, or TDIF, has recently been released to consumers after five years of testing. The programs are set to streamline the ongoing ‘digital identity solution’ vision, including the TDIF, which is all being pushed in the absence of dedicated legislation.

It is like a science fiction novel coming to life before our very eyes.

This is despite surveys suggesting that fewer than one in four Australians have a strong understanding of digital identification. Yet the push continues to introduce it as soon as possible.

Are authorities intentionally keeping the public ignorant? 

In the future, digital identification will mean having a single point ID check that will be used across all  government services and, ultimately, for any service. This is the vision.

Identity Providers will control, store and manage all user information — which is likely to include birth certificates, marriage certificates, tax returns and medical histories. Not to mention, eventually, biometrics and social behavioural information too.

Interesting when you consider that MyGovID is publicly testing the new facial recognition component of their essential services app, where a variety of benefits are accessed. 

Now, with millions becoming unemployed, more data will be uploaded to this vast system.

As we enter an emerging age of deep fake videos and increased thoughtcrime persecution, it doesn’t take a genius to figure out how the mass collection of data in a society can be used against them.

Beware, beware — the Australian biometric dystopia cometh.


SOURCED CONTENT

Over 54,000 scanned NSW driver’s licences found in open cloud storage | IT News

ALP calls for action after data breach affects 50,000 NSW drivers | Echo Daily

Amazon won’t disclose identity of company linked to driver’s licence data breach, NSW Government says | ABC News

Digital licences introduced in New South Wales | TOTT News

National Digital ID: Australia’s $200 million push | TOTT News

myGovID to begin facial recognition trials | TOTT News



KEEP UP-TO-DATE

For more TOTT News, follow us for exclusive content:

Facebook — Facebook.com/TOTTNews

YouTube — YouTube.com/TOTTNews

Instagram — Instagram.com/TOTTNews

Twitter — Twitter.com/EthanTOTT


3 comments on “Data breach exposes tens of thousands of licences”

Leave a Reply