Driver’s licence details were among the personal information stolen from Transport for NSW in the Accellion data breach last year, iTnews can reveal.
It has also emerged that at least 500 customers and employees of the agency were impacted in the incident, some of which are only now being notified.
TfNSW confirmed it was one of a number of large organisations worldwide to fall victim to the data breach against the 20-year-old File Transfer Appliance (FTA) in February 2021.
Two exploits are said to have formed the basis for the attack: one on December 2020 and another in January 2021, both of which were patched by the organisation within a week.
At the time, TfNSW said some data had been stolen, before confirming in December 2021 – as part of a planned second round of notifications – that customer and employee data was accessed.
At no time has it disclosed what types of data were compromised, despite the agency completing final assurance investigations.
However, a notification email obtained by iTnews confirms that driver licence information was included in the data leak.
Other details have also potentially been exposed, including names, email address, residential address or contact numbers.
It is understood that the compromised information relates to the issuing of new licences by the department.
An FAQ document seen by iTnews also suggests that some affected individuals had previously had their driver’s licences information compromised in another data breach.
It is not clear how the details were originally leaked, but it follows two recent high-profile data breaches involving driver’s licences in 2020.
Driver’s licence information was compromised in a phishing attack against 47 Service NSW staff that needed the personal information of 103,000 customers.
More than 50,000 scanned driver’s licences were also found in an open S3 bucket thought to belong to a commercial entity.
The FAQ document also indicates that 500 people were impacted in the Accellion breach, though it is unclear if this is the total number of individuals or just those notified in the latest round.
Anecdotal evidence, however, suggests that this figure could be significantly higher.
A spokesperson from the department declined to comment.
