Australian transit department was hacked; email addresses and driver’s licenses leaked

Transport for NSW, the transportation authority in New South Wales, Australia, is in the process of notifying tens of thousands of users that their complete driver’s license information has been exposed due to a flaw in their cloud deployment. This information was discovered by security specialist Bob Diachenko, who detected the leak while working on the investigation of another incident. 

According to Diachenko it was very easy to access the exposed information, hosted in an Amazon Web Services (AWS) bucket; once inside the folder, the researcher found thousands of scans on both sides of the driver’s licenses, in addition to multiple traffic notifications. In total, the folder contained 1088,535 scans, equivalent to about 54,000 unique licenses.

La imagen tiene un atributo ALT vacío; su nombre de archivo es nsw01.jpg

It should be noted that licenses issued by the New South Wales authority contain details such as full names, photos, dates of birth and address of drivers, so this is a serious safety incident.

La imagen tiene un atributo ALT vacío; su nombre de archivo es nsw02.jpg

In his report, Diachenko mentions that it is unclear how long the information remained exposed, although he notes that a few days would be more than enough for threat actors to find the compromised information: “Thousands of users could be exposed to various frauds; a criminal could use this information to obtain a loan on behalf of the victim or use data exposed in other incidents to deploy subsequent attacks,” the expert says.

In addition to the risk of fraud, information security experts mention that exposed information can be marketed in hacking forums, so eventually those affected will face further attack attempts. In this regard, the transport authority ensures that this incident is not related to any possibly affected government system.

“Transport for NSW is working with top cybersecurity specialists to investigate an incident related to an AWS bucket that contains personal information, including driver’s licenses,” a brief message revealed by the transportation authority a few days ago.

In this regard, a representative of the New South Wales Privacy Commissioner’s Office mentions that the incident could be related to a security issue affecting a private company: “We understand that a business company unrelated to government offices is responsible for this incident,” the representative says. The New South Wales government has been focused on pointing out that its computer systems were not compromised.