Service NSW is failing to protect the privacy and personal information of customers, according to an investigation sparked by a massive cyber attack on the government agency last year.
Auditor General Margaret Crawford found Service NSW’s current business processes continue to put the privacy of customers at risk, and says there are “significant” weaknesses in security controls over its Salesforce CRM which holds the personal information of more than four million NSW residents.
She also describes monitoring of privacy risks by the executive leadership team as “inadequate” and says the rapid growth of Service NSW, which now has 3,981 staff and manages more than 1,200 types of government transactions, has exacerbated privacy risks.
“Service NSW is not effectively handling personal customer and business information to ensure its privacy,” Ms Crawford says in the report released late last year.
Millions of documents breached
Between March and April last year, Service NSW, which has agreements with 36 government client agencies to facilitate community transactions and interactions, was subject to what’s believed to have been two major cyber attacks.
The attackers managed to access the email accounts of 47 Service NSW staff and via this, large amounts of personal customer information.
Service NSW reported at the time that the cyber attack had resulted in the breach of some five million documents, of which 500,000 were likely to contain personal information, and that more than 180,000 customers had been affected.
It subsequently said it believed fewer customers were affected than originally reported.
“The effect of the breach has nevertheless been serious and the processes in Service NSW need significant improvement,” Ms Crawford says.
CEO Damon Rees says Service NSW has accepted all the report’s recommendations and will address them as a priority.
Customer Service Minister Victor Dominello apologised to all those affected by the breach and noted he commissioned the report after becoming aware of the severity of the report.
“The report provides a robust, independent assessment of why the incident occurred and what needs to be done to improve our cyber defences and overhaul legacy business processes,” he said in a statement on Wednesday.
“My agency has committed to implementing all of the Auditor-General’s recommendations and has already implemented a number of critical security measures such as multi-factor authentication on staff email accounts.”
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter