Amazon is refusing to reveal which ‘commercial entity’ had pictures of more than 54,000 New South Wales driver’s licences publicly stored on its cloud.
Cyber Security NSW is investigating the matter but said they been met with resistance from the tech giant on Thursday.
‘Amazon Web Services (AWS) currently won’t disclose the name of the entity, but have confirmed it is a commercial entity,’ a spokesman said.
‘Cyber Security NSW’s investigation has focused on working with other organisations to try to identify the owner of the AWS bucket to ensure that the commercial entity is aware of its responsibilities to report and remediate any breach.’
More than 54,000 pictures of NSW driver’s licences were found on an Amazon server last week. Cyber Security NSW said ‘Amazon Web Services currently won’t disclose the name of the entity’ on Thursday (pictured: An Amazon office in Romania)
Cyber Security NSW chief officer Tony Chapman said the company needs to be held accountable for the data breach.
‘There are mandatory reporting requirements under the Office of the Australian Information Commissioner that the commercial entity needs adhere to,’ he said.
While Amazon has not revealed who exactly owned the file, it has revealed that it was a ‘commercial entity’ that scanned licenses as part of its business operations.
‘The data … is understood to include scanned copies of driver licences collected directly by the commercial entity from its customers,’ Mr Chapman.
‘We do not know how long this commercial entity had this data open for and we do not know whether anybody other than the security researcher quoted in media coverage has accessed the information.’
Daily Mail Australia has contacted Amazon for comment.
Mr Chapman stressed that NSW Government agencies did not provide or source the personal information, but rather that it was solely gathered by the mystery company.
While there had been calls for the NSW government to look at which licenses were on the cloud site and then notify people their personal information was at risk, the chief cyber security officer said that was up to the private company, which Amazon will not identify.
A redacted picture of Edward’s driver’s licence on his mother’s table top was included in an article about 54,000 licences leaked online on Tuesday. Edward was ‘sickened’ to discover his personal details were leaked
A Sydney health worker, called Edward, only realised his licence has been leaked when he read a news article about the data breach on Tuesday.
A redacted picture of Edward’s licence on his mother’s table top was featured in the breaking news story, including his former inner west postcode.
‘I remembered having dinner on that table just two nights ago. The licence featured in the article matched my old postcode and also happened to match the exact benchtop at my mum’s place,’ Edward told ABC News.
‘I put two and two together and realise it was probably my licence.’
Edward’s licence was found inside a digital folder of PDF and JPG files containing 108,535 scanned images of over 54,000 NSW licences.
Ukrainian security consultant Bob Diachenko discovered the folder, which contained phone numbers, addresses and birth dates, on an Amazon cloud storage service – which was completely available for public view.
A healthcare worker wearing PPE at a driver-through COVID site in Bondi. Edward, who is also a Sydney healthcare worker, said he recognised his postcode and mother’s tabletop in an article about the licence leak
Mr Diachenko stumbled upon the folder of driver’s licences as well as another folder containing Roads and Maritime Services toll notice statutory declarations.
He said the data leak was a ‘dangerous exposure,’ and said the files had most likely been seen by ‘malicious actors’ who could have made a copy of them already.
‘A malicious actor can impersonate somebody and apply for credit, or do something on behalf of that person,’ he said.
‘For example, you take one licence and connect the dots with one owner of this licence, with his or her emails exposed in another data breach and you’ve got more information on that person.’
The data was stored on an Amazon cloud storage service and contained phone numbers, addresses and birth dates – all of which were available for public view
Ukrainian security consultant Bob Diachenko stumbled upon the folder of PDF and JPG files containing 108,535 scanned images of more than 50,000 driver’s licences
IDcare security counsellor Christine Jackson said driver’s licence theft is ‘the golden ticket’ for scammers because they are often used to verify identities by Centrelink, phone companies and banks.
‘So often that will be telephone accounts, mobile phones are purchased, they might purchase iPads, tablets and things like that as well – so it can rack up to a lot of money,’ she told the ABC.
‘They’ll also apply for credit cards, personal loans and they’ll just keep going until your credit history is in a mess and they can’t go any further.
‘And then they’ll lay low for a while, wait for you to clean it up when you find out what’s gone on, and then they’ll reinvest in that compromised document.’
Ms Jackson said brazen criminals even steal licences from victims’ letterboxes after being sent to their homes from Roads and Maritime Services.
Scams reported to the ACCC involving identity theft or the loss of personal or banking information cost Australians at least $16 million last year.
Four in 10 Scamwatch reports in 2019 involved attempts to gain information or the actual loss of victims’ information.
Some of the ways scammers obtain personal or banking information are through direct requests for scans of driver’s licenses or passports, often in dating and romance scams.
Fraudsters can empty victims’ bank accounts, take out thousands of dollars in bank loans under victims’ names, and even purchase furniture or electronics under ‘no-repayments for 12 months’ schemes.
Fraudsters can empty victims’ bank accounts, take out thousands of dollars in bank loans under victims’ names, and even purchase furniture or electronics under ‘no-repayments for 12 months’ schemes (stock image)
Security researcher Troy Hunt believes the source of the leak could be a fleet or toll road operator.
‘The presence of toll notices [in the leak] is probably a bit of a clue and suggests it’s more likely that it’s a toll operator, or a fleet operator,’ he told Car Advice.
Mr Hunt said the nature of the breach would be ‘trivial’ for anyone with a solid amount of technological knowledge to uncover.
‘You don’t have to be at Bob’s level, but if you’re someone who likes to crawl around the internet looking for this stuff [it would be possible] – I’m concerned about someone who makes a concerted effort to find it,’ he said.
‘It was open to public view which was obviously the concerning thing and it’s unclear how long it was open for public view.’
The source of the uploaded files remains unknown, but it’s understood those affected by the breach are yet to be contacted.
Transport for NSW said in a statement they do not retain or collect tolling data and said it is working with Cyber Security NSW to investigate.