Service NSW data breach
A phishing campaign compromised 47 Service NSW staff email accounts, exposing 738 GB of data and roughly 3.8 million documents; about 104,000 customers had personal information including driver's licences and birth certificates stolen.
- Victim
- Service NSW
- records
- 738.0K
- users
- 104.0K
In 2020, Service NSW β the one-stop digital and in-person services agency for the Australian state of New South Wales β suffered a major data breach when a phishing campaign compromised dozens of staff email accounts, exposing hundreds of gigabytes of citizens' personal documents.
What happened
Beginning around March 2020, attackers ran a phishing campaign that mimicked a Microsoft Office 365 warning email, directing Service NSW employees to a counterfeit Office 365 login page that harvested their credentials. Through this technique the attackers gained access to the email accounts of 47 staff members.
In April 2020, the intruders exfiltrated roughly 738 GB of data β approximately 3.8 million documents β from the compromised mailboxes. Because the data lived in employees' email rather than a structured database, it was a sprawling and unstructured mix of correspondence, forms, and attachments accumulated over time.
Impact
Service NSW initially estimated that around 186,000 customers had been affected. After a lengthy forensic analysis of the seized documents, the agency revised that figure down to roughly 104,000 customers whose personal information was confirmed stolen.
The exposed documents included highly sensitive identity records: driver's licences, Medicare and health records, birth certificates, firearms registration details, Working With Children Check information, and credit card details. The breadth of identity documents made the breach particularly serious for the risk of downstream identity theft.
Aftermath
In December 2020, the NSW Auditor-General published a critical report on Service NSW's handling of personal information, finding that the agency's business processes β including the routine handling of customer identity documents over email β increased the risk and scale of the breach. The NSW Privacy Commissioner also issued public statements on the incident. Service NSW notified affected customers individually and offered support for replacing compromised identity documents.
Why it matters
The Service NSW breach is a defining Australian example of how phishing against staff email β rather than a sophisticated technical exploit β can produce a breach of national significance when a government agency stores citizens' identity documents in unstructured form. It accelerated the NSW government's push toward multi-factor authentication, reduced retention of sensitive documents in email, and stronger controls over how identity records are collected and stored. The incident foreshadowed the wave of large Australian breaches β Optus, Medibank β that would dominate the national agenda two years later.
Timeline
A phishing campaign mimicking Microsoft Office 365 warnings targets Service NSW staff, compromising 47 email accounts.
Attackers exfiltrate roughly 738 GB of data, comprising about 3.8 million documents, from the compromised mailboxes.
Service NSW publicly discloses that around 186,000 customers may have had personal data stolen.
After forensic analysis, Service NSW revises the number of affected customers down to roughly 104,000.
The NSW Auditor-General publishes a report criticizing Service NSW's handling of personal information.
Sources
- audit.nsw.gov.auhttps://www.audit.nsw.gov.au/our-work/reports/service-nsws-handling-of-personal-information
- service.nsw.gov.auhttps://www.service.nsw.gov.au/services/cyber-security/service-nsw-cyber-incident
- ipc.nsw.gov.auhttps://www.ipc.nsw.gov.au/news-events/statements/privacy-commissioner-statement-service-nsw-cyber-incident-december-2020
- siliconangle.comhttps://siliconangle.com/2020/09/07/186000-customer-records-stolen-australian-state-government-phishing-attack/