Tens of thousands of scanned NSW driver’s licenses and completed tolling notice statutory declarations ended up remaining uncovered on an open Amazon World wide web Solutions storage occasion, but Transportation for NSW does not know how the sensitive personalized details finished up in the cloud.
The open AWS S3 bucket was found by Bob Diachenko of Security Discovery, as section of an investigation into a different details breach.
“All the paperwork I observed ended up connected to the NSW spot and there was no indicator as to who may well be the owner of the details,” Diachenko told iTnews.
A single folder contained 108,535 pictures of the entrance and back again of scanned driver’s licences, and a different contained scans of Roadways and Maritime Solutions tolling notice statutory declarations, in PDF and JPG structure.
A spokesperson for Transportation for NSW explained the company is functioning with Cyber Security NSW to examine what it known as “the alleged details challenge relating to an AWS S3 bucket made up of personalized details together with driver licences.”
“Original details implies the uncovered AWS S3 bucket is not connected to Transportation for NSW or any government procedure,” the spokesperson explained.
As an alternative, TfNSW recommended an unspecified 3rd-celebration may well be liable for the details leak.
“Even though it is usually critical for licence holders to be privacy conscious when providing their sensitive personalized details to other parties, Transport for NSW recognises that some 3rd parties routinely request driver licence details as section of their company practices,” the spokesperson explained.
“Transport for NSW’s guidelines and strategies recognise the want for circumstance-by-circumstance thought for shoppers thought to be impacted by identification fraud and where essential issues new driver license/image playing cards as acceptable.”
Diachenko shared a directory listing that showed information with day stamps from September and Oct 2018.
iTnews also sighted a NSW driver’s licence, and a completed tolling notice statutory declaration variety for a business, with particulars these types of as birth day and mobile phone quantity of the man or woman who had crammed it in.
Diachenko contacted Troy Hunt of details breach notification services Have I Been Pwned, who in change alerted the Australian Cyber Security Centre.
Hunt and ACSC contacted AWS, Diachenko explained, and the open occasion was closed an hour or two right after the report.