Service NSW breach: agency launches investigation into staff email hacks

Service NSW is investigating hacks into 47 staff email accounts, warning customers that recently engaged in transactions at a customer service centre or over the phone to check their online accounts for suspicious activity.
 

In an official advisory, the state’s chief frontline service delivery agency said the attacks appeared to be the result of criminal activity rather than state-sponsored actors.

This was confirmed by Service NSW’s chief executive, Damon Rees, during a follow-up interview with Channel 9.

“The indications are it looks like it’s organised crime-related rather than [a] state-sponsored [actor],” Rees said.

“We were disappointed and upset this had happened.”

The agency chief has stressed that the breach was limited to the contents of those email which contained information on transactions made over the phone or through counters at physical service centres.

It is as yet unclear what specific data was accessed in the hack. The agency has not responded to requests for further clarification.


‘Deep analysis’ & investigations

Following the breach, forensic specialists have been engaged in a "deep analysis" of the hacked email accounts in an effort to identify any personal information that may have been accessed. The investigation is expected to last several weeks.

“We are now working as quickly as possible to confirm the scope of this attack on the personal information of our customers,” Rees said.   

“This is a very complex issue and the analysis and investigation are both ongoing.”

The Service NSW chief said a dedicated team has been established to assist affected customers.  He added that the agency was contacting customers “[determined to] have been affected by this criminal attack”.

It is understood that NSW and Federal cybersecurity agencies have been briefed along with the NSW Information and Privacy Commission.


Opposition’s call for mandatory reporting

In light of the alleged breach, Leader of the state Labor Opposition Jody Mackay has called on the Government to immediately report cybersecurity incidents to the community whilst further urging drastic improvement to what she framed as a laggard remediation process.

“I am astounded that this breach occurred on the 22nd of April. [For] three weeks the Premier has encouraged citizens of NSW to log on to Service NSW, to get on the site... and all the way through that urging we've had a massive data breach that could possibly affect tens of thousands of people." 

What is more, she said, "no information was given to the users of Service NSW".

"We need to make sure that when there's a data breach, the community is made aware straight away."

Additionally, despite the Auditor-General recording more than 3,000 data breaches to date, Mackay said that still “nothing has been done.”

She believed the latest security breach could serve to undermine public trust in the Government’s customer services systems.

“The Premier should be looking at how this should be addressed, especially where face-to-face services are discouraged.

"We should have every faith in online security. Right now, we don’t.”


Official reporting by Service NSW

The Service NSW website reported the data breach last Thursday, releasing an official media statement under the auspices of the agency’s chief executive, Damon Rees.

The official statement revealed that, on the 22 April, Service NSW launched a “comprehensive investigation in response to the discovery of a possible breach.”

The investigation subsequently identified that email accounts of 47 Service NSW Staff members were illegally accessed.

The agency has since alerted police and authorities of the cyberattack, with customer information held within staff emails potentially accessed by the hackers.

According to the statement, initial assessments have not revealed the full extent of the attack.


Cyber-crime, not cyber-espionage

In its advisory, Service NSW has warned customers to check for unauthorised transactions, changes to their settings, or times or locations where their account may have been accessed.

The agency said that customers should remain cautious about requests for personal information over the internet, whilst also resetting all passwords and PINs.

Service NSW has assured customers that despite the staff email breach, “individual MyServiceNSW Accounts have not been compromised”.

Hacked emails can unlock a virtual treasure trove of information for cybercriminals, including personal data, contacts, or sensitive corporate documents.

Staff email accounts are proving the critical weak point in most organisation's security perimeter, as cybercriminals exploit advanced social engineering techniques (including phishing and spoof emails) to gain access to sensitive data.

The state government was quick to acknowledge the attack was criminal in motive rather than a coordinated state-based campaign.

The bulk of cybercrime indeed remains opportunistic and financially motivated rather than coordinated mass espionage campaigns, often targeting sensitive data stores within government defence or infrastructure programs.

Service NSW processes a wide range of services and manages more than 47.2 million customer interactions per year online, in person, and over the phone. These services include car registrations, notifications about births, deaths or relationships, recreational licenses, and health and safety matters.

The service.nsw.gov.au website will continue to carry further notices regarding the breach and update customers with security advice for users.