Service NSW has revealed that hackers behind an email compromise attack against 47 staff members earlier this year stole 738GB of data, encompassing 3.8 million documents.
In an update on Monday, the one-stop-shop for NSW government services confirmed the data loss, which included the personal information of 186,000 customers.
The breach, which took place during April, impacted customers served by one of the 47 team members that had their email accounts compromised.
As of last week, however, Service NSW was still waiting to notify affected customers more than four months after the breach took place, suggesting a large number of affected individuals.
Service NSW did not respond to iTnews’ questions last week on how many customers are impacted.
But on Monday, the agency said it had now reached the “final stages of analysis into the cyber attack” and was “working to notify customers who had personal information in the breach”.
“The investigation has taken four months and required a highly technical approach to identify the exact amount of customer information in the 3.8 million documents (738 gigabytes of data) stolen from the email accounts,” Service NSW said in an update.
“This rigorous first step surfaced about 500,000 documents which referenced personal information.
“We are now able to focus on providing the best advice for approximately 186,000 customers we’ve identified with data in the breach.”
Service NSW labelled the email compromise as a “criminal attack” that was now the subject of a “NSW Police investigation”.
“The cyber incident was a criminal attack. Cyber attacks occur daily, and we are often able to intercept them. On this occasion we couldn’t stop the attack,” it said.
The NSW Auditor-General is also reviewing Service NSW’s “cyber security defences, practices, systems and education” at Customer Service minister Victor Dominello’s request.
Service NSW has “accelerated [its] cyber security plans and the modernisation of legacy business process” in response to the breach, the agency said.
Customers impacted by the breach will be notified using “personalised letters” that offer bespoke support services, “including individual case managers for complex circumstances”.
“Customers at risk will be notified by person-to-person registered Australia Post which they’ll have to show photo ID and sign for,” it said.
“The letter will be personalised and include important information about the specific individual data accessed during the breach.
“They will be given clear steps to resolve any issues plus an individual case manager if needed.”
More to come