Service NSW is failing to protect the privacy and personal information of customers, according to an investigation sparked by a massive cyber attack on the government agency last year.
Auditor General Margaret Crawford found Service NSW’s current business processes continue to put the privacy of customers at risk, and says there are “significant” weaknesses in security controls over its Salesforce CRM which holds the personal information of more than four million NSW residents.
She also describes monitoring of privacy risks by the executive leadership team as “inadequate” and says the rapid growth of Service NSW, which now has 3,981 staff and manages more than 1,200 types of government transactions, has exacerbated privacy risks.
“Service NSW is not effectively handling personal customer and business information to ensure its privacy,” Ms Crawford says in the report released late last year.
Millions of documents breached
Between March and April last year, Service NSW, which has agreements with 36 government client agencies to facilitate community transactions and interactions, was subject to what’s believed to have been two major cyber attacks.
The attackers managed to access the email accounts of 47 Service NSW staff and via this, large amounts of personal customer information.
Service NSW reported at the time that the cyber attack had resulted in the breach of some five million documents, of which 500,000 were likely to contain personal information, and that more than 180,000 customers had been affected.
It subsequently said it believed fewer customers were affected than originally reported.
“The effect of the breach has nevertheless been serious and the processes in Service NSW need significant improvement,” Ms Crawford says.
CEO Damon Rees says Service NSW has accepted all the report’s recommendations and will address them as a priority.
Customer Service Minister Victor Dominello apologised to all those affected by the breach and noted he commissioned the report after becoming aware of the severity of the report.
“The report provides a robust, independent assessment of why the incident occurred and what needs to be done to improve our cyber defences and overhaul legacy business processes,” he said in a statement on Wednesday.
“My agency has committed to implementing all of the Auditor-General’s recommendations and has already implemented a number of critical security measures such as multi-factor authentication on staff email accounts.”
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.
Sign up to the Government News newsletter
The Service First app that collects Covid tracking data.
Is that as secure as all the other data that been hacked! The valuable tracking data for Covid cases is also very valuable to business and gives a great personal profile for the millions of NSW residents that effectively have to use it to go anywhere!
I hope that Service NSW have beefed security on this data
We are not likely to know until the next AG’s report or never! as it part of the regime of commercial in confidence deals that seem to continue to pop up with this government dealings.