In March 2020, Service NSW (SNSW) was the victim of a criminal cyber-attack. Upon investigation, it was determined that 47 SNSW staff email accounts were compromised and 730 GB of data was exfiltrated, comprising 3.8 million documents that relate to up to 186,000 customers.
The types of personal information compromised included sensitive data such as driving licences, birth certificates, passports, police checks, bank accounts, names, and email addresses which have the potential to result in significant customer impacts.
For staff or former staff, the types of personal information also included information gathered during recruitment and onboarding including many cases their personal particulars and TFN numbers as well as sensitive employment related items such as disciplinary and health matters.
Service NSW continues to assist customers impacted by the cyber-attack on the contents of Service NSW employee inboxes.
Of the approximately 18,500 final notification letters sent to customers in May 2021, approximately 15,000 were successfully delivered and approximately 3,500 were returned to sender. These letters are a second attempt to reach those people who did not sign for their first registered mail notification.
The Service NSW Hypercare team received approximately 34,000 general privacy calls and approximately 21,000 calls from affected customers, including approximately 400 calls from customers who received their second attempt notification letters.
Of the approximately 67,000 customers for whom Service NSW have sufficient information to attempt a safe notification via registered mail, approximately 95% have received their notification.
In May 2021 Service NSW introduced a digital proof-of-identity check for customers contacting the Hypercare team. This option has been popular with our customers and remains an important part of our Hypercare service delivery during the COVID-19 pandemic.
Customer satisfaction with the Hypercare service is 84.67%.
Previous updates
Select a date below to see previous updates.
20 May 2021
This week, Service NSW has begun sending final notification letters to approximately 18,500 customers regarding the cyber attack on the contents of 47 Service NSW employee inboxes.
These letters are a second attempt to reach those people who did not sign for their first registered mail notification.
Our first notification letters required customers to undertake a proof of identity check in order to collect a registered letter from Australia Post containing the details of stolen data.
18,500 customers did not sign for their letter, so Service NSW is trying again to reach them through generic letters that will be delivered directly to customers’ letter boxes.
These letters will not include the details of stolen data but will include steps on how to contact the Service NSW hypercare team for more information and support.
Customers contacting the hypercare team for information on the detail of stolen data will now have the option of undertaking an identity check online.
Customers who have access to a mobile device or a computer with a video camera will be able to complete a Proof of Identity check visually with our hypercare team, at a place that suits them.
Service NSW’s response to the attack continues to be led by our commitment to support every one of the approximately 103,000 affected customers.
Post incident review
In April 2020 Information Integrity Solutions led by former federal privacy commissioner Malcolm Crompton was engaged to:
- provide Service NSW and the Department of Customer Service with advice during the response, and
- deliver a post implementation review – PDF.
Service NSW and DCS have welcomed the detailed report and are reviewing the recommendations to determine improvements to their cyber and privacy incident response systems.
Service NSW will never cold-call or email customers asking for personal information.
If you want to confirm any communication from Service NSW, call us directly on 13 77 88.
25 March 2021
Update on our efforts to notify customers
Service NSW has begun a final round of notifications for approximately 18,500 customers who haven’t signed for their registered mail about the cyber attack on 47 staff email inboxes in 2020.
There are approximately 36,000 people for whom insufficient information is available to send a safe notification by registered mail. The risk to these individuals is considered much lower based on the limited amount of data exfiltrated.
The investigation into the data accessed in this attack has been led by our resolution to do the right thing by every affected customer.
Where possible, Service NSW has taken action to reduce the risk through working with other government agencies including NSW Births, Deaths and Marriages, Services Australia and DFAT to have stronger security measures applied to the identity credentials compromised in the cyber incident.
Service NSW is also working on alternative methods including the MyServiceNSW Account to safely contact customers.
Support for impacted customers
Our goal has been to provide the best support we can. To date we have supported almost 19,000 calls through our dedicated hypercare team.
About 84 percent of customers surveyed about their experience with the dedicated customer hypercare team said they were extremely satisfied with the offering. More than 85 percent of customers agreed the hypercare experience effectively answered and resolved their challenges.
If you have attempted to access hypercare but feel you haven’t received the support you need, please contact our Chief Privacy Officer at privacy@service.nsw.gov.au.
Our ongoing response to NSW Audit Office recommendations
In addition to a broad range of measures to strengthen cyber security (including the implementation of Multi Factor Authentication for email accounts in 2020), Service NSW has also made positive changes to make data and privacy management more robust, including:
- reducing information retained in Service NSW email accounts by more than 90%
- having mandatory Privacy training for all Service NSW employees
- updating the Service NSW Privacy Management Plan
- starting the migration to more secure data transfer methods with our partner government agencies
- implementing a risk appetite statement with low appetite for privacy and cyber security risk, meaning that we take all reasonable measures to detect and avoid the cyber and privacy impact of our products and services.
Our progress towards addressing the recommendations from the audit report is as follows:
Recommendation | Target Date (AO) | Status |
---|---|---|
1. Implement a more secure method of transferring personal information to Partner Agencies | As a matter of urgency | In progress |
2. Review the need to store personal information and where it’s needed, implement a more secure storage | As a matter of urgency | In progress |
3. Ensure all new Partnership Agreements from 1 April include specific privacy provisions and clarify responsibilities | 31 March 2021 | On track |
4. Review the privacy management plan and update where required | 31 March 2021 | Complete |
5. Review the policies and processes that outline how privacy risks are managed | 31 March 2021 | On track |
6. Improve controls, security and functionality of Salesforce and the MyServiceNSW Account to better protect personal information | 30 June 2021 | On track |
7. Update existing Partnership Agreements to include specific privacy provisions and clarify responsibilities | 31 December 2021 | On track |
8. Conduct a Privacy Impact Assessment (PIA) on all systems, transactions and processes that are high risk (if no PIA exists) or have had major changes since their last PIA | 31 December 2021 | On track |
The investment in our best-in-class response and customer support
Service NSW has dedicated significant resources to the complex and sensitive task of identifying, notifying and supporting impacted customers. This has been key to providing a best practice, customer centric approach for people with tailored and secure communication about the impact of the breach and the steps they could take to respond and further protect their personal information.
The response to the incident, and support being provided to affected customers, is ongoing. The cost to manage this incident and support impacted customers is expected to be in the range of $25M - $35M. This figure includes:
- a dedicated Hypercare team of over 100 Service NSW and Department of Customer Service team members who are supporting customers to access supports such as replacement identity documents and IDCARE, Australia’s national identity and cyber support service and privacy complaints
- Transport for NSW’s replacement of compromised driver licences free-of-charge to customers
- forensic data analysis to identify our customers affected by the cyber incident and costs of securely notifying customers securely through registered mail
- expert cyber investigations and containment immediately after the cyber-attack.
Service NSW is mindful of the expense involved in responding to this incident. Notifying customers individually with tailored information takes time and effort. Our focus has always been on supporting our customers to protect their personal information.
Important: Avoiding scams
Service NSW will never call or email customers asking for personal information. If you want to double check any communication by the agency, call Service NSW directly on 13 77 88.
5 February 2021
Service NSW is continuing to support customers who were affected by a cyber attack on 47 employee email inboxes in 2020.
Investigations into the methods used by the cyber criminals allowed Service NSW to significantly revise down the number of customers with data stolen in the incident from approximately 186,000 to about 104,000. The analysis is now complete.
Service NSW notified at-risk customers by person-to-person registered Australia Post. The letter was personalised and included important information about the specific individual data accessed during the breach.
Service NSW introduced a specialist customer care team that helped customers understand their options for keeping online records secure or, where necessary, helped arrange new NSW credentials.
Service NSW has learned significant lessons from the incident. Processes have been changed to keep customer data more secure.
What was not affected by the 2020 breach
The cyber attack on Service NSW in 2020 related only to the contents of 47 employee inboxes and not to any other Service NSW systems.
The attack did not compromise the Service NSW app nor its data security.
The COVID Safe check-in experience remains secure.
The cyber attack did not breach the MyServiceNSW Account or other Service NSW databases.
Taking care online
Below are some steps to check and protect your identity, finances and personal information.
Use two-factor authentication
Set up and learn to use two-factor authentication (2FA) for your important accounts.
Fortify your finances
Check bank statements and report anything amiss, and set up a credit alert.
COVID-19 scam messages
Be alert to emails and calls from unknown sources or requesting personal details.
Protective measures for individuals following a data breach
Check with the ATO for any unauthorized requests for early release of your super.
For more guidance, please visit Staying Safe Online.
15 December 2020
Service NSW has continued to place the safety of customer and staff data at the centre of its response to the cyber attack on 47 employee email accounts in March this year.
Ongoing analysis into the methods used in the cyber attack has found significantly fewer customers were affected than first thought.
The number of customers who will need to be contacted has been revised accordingly.
Service NSW is sending new letters via registered post to those customers who did receive information that will need to be updated. We apologise for the disruption this has caused.
The Service NSW Hypercare team will work closely with customers affected by these changes.
Service NSW will never ask for private information in a cold-call to you about this or any other security matter. Any customer who has doubts about someone claiming to be from Service NSW is encouraged to call Service NSW directly on 13 77 88.
30 October 2020
Service NSW is in the final stages of analysis into the cyber attack earlier this year on 47 staff email accounts and we're now working to notify customers who had personal information in the breach.
Customers at risk will be notified by person-to-person registered Australia Post. The letter will be personalised and include important information about the specific individual data accessed during the breach. They will be given clear steps to resolve any issues plus an individual case manager if needed.
We announced the breach in May, soon after it was initially discovered. However, the investigation into the specifics has taken 4 months because of its complexity. There were 3.8 million documents stolen. The first step was to investigate all of these to understand exactly how much customer information they contained. This revealed about 500,000 documents. From here the data was “washed” (cross checked) and enriched with other Government sectors to match it accurately with individuals to obtain the latest residential address details.
This process made it possible for us to then notify each affected individual about their specific situation. We took this approach on the advice of external experts IDCARE and Information Integrity Solutions Pty Ltd who have both provided expert independent assessment and advice.
Armed with these details, all affected customers are now able to replace or reissue those credentials known to be stolen. It has been important not to disclose these details until this point, to protect customers from additional threat of scams.
We are now able to focus on providing the best advice for approximately 186,000 customers we’ve identified with data in the breach. In addition to the personalized letters being sent by Registered Australia Post, we have a bespoke support service available including individual case managers for complex circumstances.
The cyber incident was a criminal attack. Cyber attacks occur daily, and we are often able to intercept them. On this occasion we couldn’t stop the attack. There is a NSW Police investigation underway and a review by the auditor general of Service NSW’s practices and systems. This audit will assess how effectively Service NSW handles personal customer and business information to ensure its privacy.
We have accelerated our cyber security plans and the modernisation of legacy business processes to keep customer information as safe as possible.
Whether or not you’ve been affected by this breach, below are some steps to check and protect your identity, finances and personal information.
Use two-factor authentication
Set up and learn to use two-factor authentication (2FA) for your important accounts.
Fortify your finances
Check bank statements and report anything amiss, and set up a credit alert.
COVID-19 scam messages
Be alert to emails and calls from unknown sources or requesting personal details.
Protective measures for individuals following a data breach
Check with the ATO for any unauthorized requests for early release of your super.
For more guidance, please visit Staying Safe Online.
Video: Service NSW - Cyber Attack Response
Over the coming months the NSW Government will be working to raise awareness of scams and empower people to better protect their own identities when working online.
We know this may be a stressful time for many people. If you need emotional support, both Lifeline and Beyond Blue may be able to help you. You can call Beyond Blue’s 24/7 support line on 1300 224 436, and Lifeline can be contacted via phone 24/7 on 13 11 14.
31 August 2020
The Service NSW response to the cyber attack on 47 employee email accounts has been driven by the commitment to keep customers and their data safe during the notification period.
The agency is developing a comprehensive notification process that focuses on 3 outcomes:
- ensuring the notification to identified customers is informative and useful
- making the notification process secure by using Australia Post Registered Mail, which requires the customer's signature, for delivery
- notifying customers as soon as possible.
Service NSW is in the final stages of personalising the notification letter to identified customers. This has required a number of steps to sort and review the data to effectively match it to customer contact details.
The data has included handwritten notes and forms, scans and records of transaction applications. This has contributed to the notification timelines.
The notification letter explains the various support options available.
Service NSW has introduced a new customer care team which will be dedicated to helping customers identified in the breach.
Service NSW has changed a number of security systems to mitigate against future cyber attacks of this nature.
Service NSW will not contact customers out of the blue by telephone or email about this or any other cyber security breach asking for privacy or payment information.
If you doubt the veracity of any contact by someone claiming to be from Service NSW, please call our contact centre directly on 13 77 88.
23 July 2020
The forensic investigation into the Service NSW cyber attack has provided valuable information including how to effectively validate and identify customers affected by the breach.
The safety of our customers and the protection of their data have been the guiding principles for the investigation.
Service NSW has been working in parallel to modify processes so that our operations better reflect best practice privacy principles.
The initial analysis is now complete and Service NSW is undertaking data quality activities in preparation for notifying identified customers.
Please note that identified customers will be notified by registered Australia Post, which will require the customer to sign for it.
Service NSW will not be contacting customers by phone or email in relation to this incident to minimise the risk of scammers attempting to defraud you by pretending to be Service NSW.
Any customer who has doubts about the veracity of a contact by Service NSW is encouraged to call the Service NSW contact number, 13 77 88.
31 August 2020
The Service NSW response to the cyber attack on 47 employee email accounts has been driven by the commitment to keep customers and their data safe during the notification period.
The agency is developing a comprehensive notification process that focuses on 3 outcomes:
- ensuring the notification to identified customers is informative and useful
- making the notification process secure by using Australia Post Registered Mail, which requires the customer's signature, for delivery
- notifying customers as soon as possible.
Service NSW is in the final stages of personalising the notification letter to identified customers. This has required a number of steps to sort and review the data to effectively match it to customer contact details.
The data has included handwritten notes and forms, scans and records of transaction applications. This has contributed to the notification timelines.
The notification letter explains the various support options available.
Service NSW has introduced a new customer care team which will be dedicated to helping customers identified in the breach.
Service NSW has changed a number of security systems to mitigate against future cyber attacks of this nature.
Service NSW will not contact customers out of the blue by telephone or email about this or any other cyber security breach asking for privacy or payment information.
If you doubt the veracity of any contact by someone claiming to be from Service NSW, please call our contact centre directly on 13 77 88.
23 July 2020
The forensic investigation into the Service NSW cyber attack has provided valuable information including how to effectively validate and identify customers affected by the breach.
The safety of our customers and the protection of their data have been the guiding principles for the investigation.
Service NSW has been working in parallel to modify processes so that our operations better reflect best practice privacy principles.
The initial analysis is now complete and Service NSW is undertaking data quality activities in preparation for notifying identified customers.
Please note that identified customers will be notified by registered Australia Post, which will require the customer to sign for it.
Service NSW will not be contacting customers by phone or email in relation to this incident to minimise the risk of scammers attempting to defraud you by pretending to be Service NSW.
Any customer who has doubts about the veracity of a contact by Service NSW is encouraged to call the Service NSW contact number, 13 77 88.
12 June 2020
Service NSW is placing the safety of customers and their data as a priority above all others as we assess the impact of the cyber attack on 47 mailboxes in our email network.
The analysis into the attack on Service NSW staff email accounts is ongoing and the specialist teams are working through complexities including ensuring the data remains secure during the review.
Where the specialists have been able to identify customers with sensitive data that was accessed in the cyber attack, we’ve used secure methods to inform those customers. We are helping people with advice about how to keep their private information secure or change their records.
Service NSW continues to build on its care model to ensure it is equipped to handle enquiries from customers affected by the breach.
28 May 2020
The investigation into the cyber attack is progressing and the team of forensic specialists is focusing on the email data which is most likely to contain customer information.
Our priority is the safety and security of every customer affected by the incident, and we are committed to the best possible customer experience in our response to this breach.
Our dedicated care team has begun contacting customers using secure methods where we have identified data accessed in the attack.
There is no evidence that Service NSW databases were compromised and the network and systems of record that store licence information are not affected by this breach.
Please note that Service NSW will never ask you to click on a link requesting private information, or ask you to email private information unless this is something you have previously agreed to with Service NSW.
Service NSW will never ask for private information in a cold-call to you without your having the option to independently verify the identity of the caller.