Update: Service NSW has revised the number of impacted customers from 186,000 down to 104,000.
Service NSW has revealed that a cyber attack on 47 staff email accounts resulted in the theft of data containing the personal information of 186,000 customers and employees.
The agency on Monday said it was working to notify customers whose personal information had been compromised via registered Australia Post.
Service NSW CEO Damon Rees said the agency began an investigation into the incident in April, and engaged forensic specialists to analyse 3.8 million documents in the email accounts.
“This rigorous first step surfaced about 500,000 documents which referenced personal information. The data is made up of documents such as handwritten notes and forms, scans, and records of transaction applications,” he said.
“Across the last four months, some of the analysis has included manual review of tens of thousands of records to ensure our customer care teams could develop a robust and useful notification process.”
While there has been no evidence that individual MyServiceNSW Account data or Service NSW databases were compromised, Rees said the organisation was sorry that customers’ information was taken.
“Our focus is now on providing the best support for approximately 186,000 customers and staff we’ve identified with personal information in the breach,” he said.
Read more: NSW agencies fall short on cybersecurity, audit finds
NSW Police has been working with Service NSW to assess potential lines of inquiry about the attack, while Cyber Security NSW and the Information and Privacy Commissioner have been briefed on the situation regularly.
Service NSW said it has upped its security measures since the incident, has implemented provisions to help affected customers, and has partnered with cyber support service IDCARE to receive additional expert assistance.
The agency has also updated its cyber incident URL with information on the breach as well as resources for the public on protecting their personal information and seeking help.
The registered mail notifications containing information about data accessed during the breach have been scheduled to be sent out by December. Service NSW has urged the public to remember that it would never call or email a customer “out of the blue” requesting customer information about data breaches.
In a series of tweets on Monday and Tuesday, NSW Labor leader Jodi McKay slammed customer service minister Victor Dominello and premier Gladys Berejiklian over their handling of the breach. She has called on Dominello to publicly apologise.
“The breach at Service NSW is appalling — and the failure to notify all victims until December unacceptable,” she wrote.
“It’s 2020 — why is the Berejiklian Government seemingly the last entity in the world to take cybersecurity seriously?”
Read more: NSW government to ‘quadruple’ size of cyber security workforce
Any feedback or news tips? Here’s where to contact the relevant team.