Australian State Criticized for Breach Notification DelayNew South Wales Won't Notify All Victims of Months-Old Breach Until Year's End
How quickly should organizations that suffer a data breach notify individuals whose personal information was exposed, potentially putting them at risk of identity theft?
That question continues to dog the government of New South Wales - Australia's most populous state - as it continues to investigate a massive data breach that it first detected in April.
The breach involves the New South Wales' Department of Customer Service - aka Service NSW - which is the go-to agency for fishing licenses, driver's licenses, birth certificates and more. On May 14, Service NSW first disclosed the breach, noting that 47 staff members' employee email accounts had been compromised. "The data that was illegally accessed was stored in email records," Service NSW said in a statement at the time. "Customers should be reassured that individual MyServiceNSW account data has not been compromised."
But it warned that the full scope of the breach remained unclear. Also outstanding is any official confirmation on when the breach began.
On Monday Service NSW revealed that attackers stole 738 GB of data from those 47 employees' email accounts. The expanding impact of the security incident is now putting pressure on the NSW government, led by NSW Premier Gladys Berejiklian, leader of the NSW Liberal Party, to explain why it failed to block the attack, and why it has still failed to notify all individuals whose personal details were exposed, four months after it first detected the breach.
This is a cyber security meltdown from the Berejiklian Government. 186,000 people's information breached, 3.8 million documents stolen (!) in a massive attack on Service NSW months ago - and they still haven't notified them. Heads should roll.https://t.co/B98UaDvcZ2— Jodi McKay (@JodiMcKayMP) September 7, 2020
"Heads should roll" in the government as a result of the breach, tweeted MP Jodi McKay, the current leader of the opposition, who heads the NSW Labor Party.
Service NSW now describes the security incident as a criminal attack, which is the focus of an active investigation, dubbed Strike Force Seebree by the NSW State Crime Command's Cybercrime Squad. Police on Wednesday said that the investigation remains active but had no further details to share.
But News 9 reports that investigators believe the attack was perpetrated by an "international crime syndicate" that involved phishing emails sent to staff accounts, although Service NSW has not confirmed those details.
Service NSW says on Friday that none of the 47 email accounts had multifactor authentication turned on at the time of the attacks. But the agency says it now has turned on multifactor authentication within Office365 for all remote access.
'Manual Review' of Documents
So far, Service NSW has said that the compromised email accounts exposed 3.8 million documents, of which 500,000 contained personally identifiable information pertaining to 186,000 NSW residents.
Exposed documents include "handwritten notes and forms, scans, and records of transaction applications," it says. Such records may have included paper application forms, such as for driver's licenses, which were attached to emails. Some of customer data relates to several years of transactions, Service NSW says.
"Across the last four months, some of the analysis has included manual review of tens of thousands of records to ensure our customer care teams could develop a robust and useful notification process," the agency said on Monday. "We are sorry that customers' information was taken in this way."
The NSW government has started to notify victims by registered mail, which requires a signature on delivery. But it notes that the notification process may not conclude until the end of this year.
Some experts have cautioned that the notification delay leaves breach victims at risk.
David Lacey, managing director of IDCare, a Queensland-based charity that helps victims of identity theft and is working on this incident, says it's important to know precisely what data was exposed so that victims can be informed of exactly which steps they should take - and also so that unaffected people are not unduly alarmed (see: Data Breach Notifications: What's Optimal Timing?).
Unfortunately, this can be a long and labor-intensive process. "E-discovery is always the most resource-intensive, costly and painful process," Lacey says. "It often takes the longest and is still a process that requires a lot of 'eyes on glass' to trawl through and answer what seems to be a pretty basic question - 'who has been exposed and what were the personal attributes?'"
But Susan Bennett, founder and executive director of Information Governance ANZ, a community for data and information governance professionals, says the NSW government's notification process simply isn't good enough. She notes that the global benchmark - as codified by the EU's General Data Protection Regulation - is for breached organizations to reveal details of what happened, and to identify victims, all within days, to help minimize the harm they might face.
"This delay of months before people have been notified is extraordinary," she says.
Bennett also highlights that the state of New South Wales lacks a mandatory breach notification law. Although Australia has a federal mandatory breach notification law, it doesn't apply to New South Wales government agencies (see: Australia Enacts Mandatory Breach Notification Law).
Individuals who suffer identity theft, meanwhile, may not know if it traces to this particular breach. IDCare's Lacey says his organization has been dealing with an average of 22 data breaches per week covered by just Australia's federal privacy and data breach legislation. He says that 2 million Australians have received a data breach notification in the first six months of this year.
Government Goes on Defense
Responding to such criticism, Victor Dominello, the minister overseeing NSW's government services, has defended his ministry's handling of the breach.
In a Tuesday post to LinkedIn, Dominello says that within 24 hours of learning of the breach in May, the government notified the public, referred the breach to the auditor-general and retained external privacy and security experts to support breach victims.
The government has also established a "hypercare" unit to support victims, and it plans to establish a permanent identity recovery unit, Dominello says.
He also pointed to "legacy" systems as having contributed to the breach, noting that "with email attachments, we have digitized the delivery but not the parcel." And he said steps are underway to improve defenses.
"It is a typical legacy problem," Dominello says, noting that "true end-to-end digital services are more difficult for criminals to attack." He says the government plans to spend 1.6 billion Australian dollars ($1.1 billion) "to accelerate our digital transformation."
Government auditors have warned that New South Wales' public sector needs to shore up its cyber defenses. In December 2019, the Audit Office of New South Wales issued a report saying the state's public sector needs to pay "urgent attention" to its cybersecurity resilience.
Nearly half of NSW government agencies that completed a self-assessment of cybersecurity benchmarks reported that they weren't on track with adopting multifactor authentication to prevent account takeovers, the audit revealed. Such a control helps block phishing attacks. Had such measures been in place, they may have prevented the massive data breach that NSW is still attempting to mitigate.