Tens of hundreds of scanned NSW driver’s licenses and done tolling see statutory declarations have been remaining uncovered on an open up Amazon World wide web Services storage instance, but Transport for NSW would not know how the delicate own info ended up in the cloud.
The open up AWS S3 bucket was uncovered by Bob Diachenko of Security Discovery, as element of an investigation into a further info breach.
“All the documents I noticed have been associated to the NSW spot and there was no sign as to who could possibly be the proprietor of the info,” Diachenko told iTnews.
A person folder contained 108,535 pictures of the front and again of scanned driver’s licences, and a further contained scans of Streets and Maritime Services tolling see statutory declarations, in PDF and JPG structure.
A spokesperson for Transport for NSW mentioned the company is doing work with Cyber Security NSW to examine what it known as “the alleged info problem relating to an AWS S3 bucket that contains own info such as driver licences.”
“Original info signifies the uncovered AWS S3 bucket is not associated to Transport for NSW or any govt process,” the spokesperson mentioned.
Alternatively, TfNSW advised an unspecified 3rd-party could possibly be dependable for the info leak.
“Although it is constantly essential for licence holders to be privacy conscious when supplying their delicate own info to other parties, Transport for NSW recognises that some 3rd parties routinely ask for driver licence info as element of their enterprise procedures,” the spokesperson mentioned.
“Transport for NSW’s policies and techniques recognise the require for circumstance-by-circumstance consideration for buyers believed to be impacted by identification fraud and in which required problems new driver license/photograph cards as appropriate.”
Diachenko shared a listing listing that showed information with day stamps from September and October 2018.
iTnews also sighted a NSW driver’s licence, and a done tolling see statutory declaration variety for a business, with aspects these types of as birth day and cellphone number of the person who experienced filled it in.
Diachenko contacted Troy Hunt of info breach notification services Have I Been Pwned, who in convert alerted the Australian Cyber Security Centre.
Hunt and ACSC contacted AWS, Diachenko mentioned, and the open up instance was shut an hour or two just after the report.