A health care worker has said he was ‘sickened’ to discover his NSW driving licence was leaked online along with 54,000 other people’s across the state.
The Sydney man, called Edward, only realised his licence has been leaked when he read a news article about the data breach on Tuesday.
A redacted picture of Edward’s licence on his mother’s table top was featured in the breaking news story, including his former inner west postcode.
‘I remembered having dinner on that table just two nights ago. The licence featured in the article matched my old postcode and also happened to match the exact benchtop at my mum’s place,’ Edward told ABC News.
‘I put two and two together and realise it was probably my licence.’
A redacted picture of Edward’s driver’s licence on his mother’s table top was included in an article about 54,000 licences leaked online on Tuesday. Edward was ‘sickened’ to discover his personal details were leaked
Edward’s licence was found inside a digital folder of PDF and JPG files containing 108,535 scanned images of over 54,000 NSW licences.
Ukrainian security consultant Bob Diachenko discovered the folder, which contained phone numbers, addresses and birth dates, on an Amazon cloud storage service – which was completely available for public view.
A Department of Customer Service NSW spokesman said ‘a commercial entity’ was likely behind the data breach.
‘Investigations by Cyber Security NSW into an apparent data breach of NSW Driver Licences by a commercial entity confirms this matter is not related to NSW Government processes, systems or storage in any way,’ he said.
But Edward said he does not remember taking a picture of his driver’s licence on his mother’s table and sending it to a non-Government, commercial entity.
The spokesman also said NSW digital driver’s licences and the Service NSW app were not compromised by the apparent breach and remained secure.
A healthcare worker wearing PPE at a driver-through COVID site in Bondi. Edward, who is also a Sydney healthcare worker, said he recognised his postcode and mother’s tabletop in an article about the licence leak
Meanwhile a Transport for NSW spokesman said their state government department did not own the folder.
‘As Transport for NSW is not the owner of the folder and does not have access to its contents, the identities of all those who may have been affected cannot be determined,’ he said.
‘However, Transport for NSW takes customer data security concerns seriously and will support those who have been the victim of identity theft. Where necessary, new driver licence/photo cards are reissued on a case-by-case basis.’
Edward’s shocking story comes after news of the leak broke on Tuesday, sparking warnings from experts that hackers can use the information to apply for credit cards and loans.
Mr Diachenko stumbled upon the folder of driver’s licences as well as another folder containing Roads and Maritime Services toll notice statutory declarations.
‘More than 50K scanned driver licenses (front+back) and toll notices exposed in a misconfigured S3 bucket,’ Mr Diachenko tweeted along with a screenshot of a list of files dated back to 2018.
‘Most likely – part of NSW RMS infrastructure (Road and Maritime, New South Wales, Australia). Secured now.’
The data was stored on an Amazon cloud storage service and contained phone numbers, addresses and birth dates – all of which were available for public view
Ukrainian security consultant Bob Diachenko stumbled upon the folder of PDF and JPG files containing 108,535 scanned images of more than 50,000 driver’s licences
Mr Diachenko labelled the mysterious data leak a ‘dangerous exposure,’ and said the files had most likely been seen by ‘malicious actors’ who could have made a copy of already.
‘A malicious actor can impersonate somebody and apply for credit, or do something on behalf of that person,’ he said.
‘For example, you take one licence and connect the dots with one owner of this licence, with his or her emails exposed in another data breach and you’ve got more information on that person.’
IDcare security counsellor Christine Jackson said driver’s licence theft is ‘the golden ticket’ for scammers because they are often used to verify identities by Centrelink, phone companies and banks.
‘So often that will be telephone accounts, mobile phones are purchased, they might purchase iPads, tablets and things like that as well – so it can rack up to a lot of money,’ she told the ABC.
‘They’ll also apply for credit cards, personal loans and they’ll just keep going until your credit history is in a mess and they can’t go any further.
‘And then they’ll lay low for a while, wait for you to clean it up when you find out what’s gone on, and then they’ll reinvest in that compromised document.’
Ms Jackson said brazen criminals even steal licences from victims’ letterboxes after being sent to their homes from Roads and Maritime Services.
Scams reported to the ACCC involving identity theft or the loss of personal or banking information cost Australians at least $16 million last year.
Four in 10 Scamwatch reports in 2019 involved attempts to gain information or the actual loss of victims’ information.
Some of the ways scammers obtain personal or banking information are through direct requests for scans of driver’s licenses or passports, often in dating and romance scams.
Fraudsters can empty victims’ bank accounts, take out thousands of dollars in bank loans under victims’ names, and even purchase furniture or electronics under ‘no-repayments for 12 months’ schemes (stock image)
Fraudsters can empty victims’ bank accounts, take out thousands of dollars in bank loans under victims’ names, and even purchase furniture or electronics under ‘no-repayments for 12 months’ schemes.
Security researcher Troy Hunt believes the source of the leak could be a fleet or toll road operator.
‘The presence of toll notices [in the leak] is probably a bit of a clue and suggests it’s more likely that it’s a toll operator, or a fleet operator,’ he told Car Advice.
Mr Hunt said the nature of the breach would be ‘trivial’ for anyone with a solid amount of technological knowledge to uncover.
‘You don’t have to be at Bob’s level, but if you’re someone who likes to crawl around the internet looking for this stuff [it would be possible] – I’m concerned about someone who makes a concerted effort to find it,’ he said.
‘It was open to public view which was obviously the concerning thing and it’s unclear how long it was open for public view.’
The source of the uploaded files remains unknown, but it’s understood those affected by the breach are yet to be contacted.
Transport for NSW said in a statement they do not retain or collect tolling data, and said it is working with Cyber Security NSW to investigate.