Months after the privacy breach was exposed, tens of thousands of NSW residents whose driver’s licenses were exposed in a leak online have not been informed by the company responsible for doing so.
As first reported by iTnews in August, a researcher discovered that scans of 54,000 NSW driver licenses — the old school plastic ones, not the digital new version — were accessible online in cloud storage.
Security Discovery’s Bob Diachenko discovered an open Amazon Web Services bucket which had 108,000 images of the front and back of licenses, along with some scans of statutory declarations.
It was soon confirmed that person behind the breach was not the NSW government, but rather a third-party. The state’s cyber security body Cyber Security NSW soon disclosed it was a company that was responsible for the breach, and that it was investigating further.
But three months later, we’re no closer to knowing who is responsible or, importantly, who was affected.
Cyber Security NSW confirmed that Amazon has not said who ‘owned’ the bucket. As a result, they haven’t found out any more details about the driver’s license leak.
“NSW Government is therefore not aware of the identity of the commercial entity, nor NSW customers that may have been affected by the breach,” a spokespeerson for the agency said to iTnews.
Cyber Security NSW said that it’s working with state and federal agencies to figure out who was behind the breach and who has been caught up in it.
As the breach is not considered likely to result in serious harm, there’s no requirement to notify the people involved.
But even still, there’s a lot that can go wrong with a driver’s license leak and would be a moderate risk for identity theft and generally scams. And that’s a pretty good reason to have to tell people who were involved but still, months later, have absolutely no idea.
Let’s hope that this gets sorted ASAP.