Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management

Australian Driver's Licenses Exposed on S3 Bucket

It's Unclear Who Owns the Data and If Those Affected Will Be Notified
Australian Driver's Licenses Exposed on S3 Bucket
The Sydney Harbour Bridge, which is a toll bridge. Some toll-related information was exposed.

Scans of 54,000 Australian driver’s licenses were exposed in an open Amazon Simple Storage Service, or S3, bucket, according to a security researcher, but it’s unclear if those affected will be notified.

See Also: Cyber Insurance Assessment Readiness Checklist

The data was found by Bob Diachenko, who runs Security Discovery. Diachenko frequently finds data publicly exposed in S3 buckets. A screenshot of the some of the data indicates it may have been scanned in 2018.

The exposure was closed shortly after Diachenko notified Australian data breach expert Troy Hunt, who notified the Australian Cyber Security Center. The exposure was first reported by iTNews.

Exposed S3 storage instances have long been a source of data breaches. The instances are often misconfigured, which can result in the data being exposed to the internet. Specialized search engines such as Shodan can be used to find misconfigured buckets.

The Office of the Australian Information Commissioner, which oversees data protection issues, says it's aware of a potential data breach involving driver’s licenses. If the organization that exposed the data is covered by the Privacy Act, “they must notify the people who are affected and the OAIC as quickly as possible,” the office says.

“While we can’t comment on the specifics, we would expect any organization to act quickly to contain a data breach involving personal information and assess the potential impact on those affected,” a spokesperson for the office says.

Data Exposed

The exposed data includes 108,535 scans of the fronts and backs of New South Wales driver’s licenses, which list birth dates, physical addresses and driver’s license numbers.

The data also includes completed documents called “statutory declarations” in either .jpg or .pdf files. Motorists file those declarations when they want to contest unpaid toll notifications, such as if someone else was driving their vehicle at the time of the violation.

Transport for NSW, a government agency, says it's investigating the exposure along with Cyber Security NSW, which is the state’s cybersecurity agency.

”While it is always important for license holders to be privacy aware when providing their sensitive personal information to other parties, Transport for NSW recognizes that some third parties routinely request driver license information as part of their business practices,” the agency says.

The NSW Information and Privacy Commission says it's aware of the breach and has received a briefing from Cyber Security NSW.

“The privacy commissioner understands that a commercial business, unconnected to the NSW government, was responsible for the breach,” the commissioner says. “The breach is not associated with a NSW government agency or any NSW government system or process.”

The privacy commissioner did not identify the business involved, and it remains unclear whether those affected will be notified. The state of New South Wales uses at least one private contractor for electronic toll payments. One such contractor is Linkt, which is part of the company Transurban. A spokesman for Linkt says the company is aware of the incident but it isn’t responsible for the exposure.

A Call for Full Disclosure

Hunt, the creator of the Have I Been Pwned data breach notification site, says the data is sensitive and the exposure needs to be disclosed.

Troy Hunt

“There needs to be some sort of action one way or another,” Hunt says.

Harvesting driver’s license data in a breach such as this could result in identity theft schemes. Transport for NSW says it can reissue driver’s licenses of those who are impacted by identity fraud on a case-by-case basis.

When verifying someone is who they say they are, many Australian government agencies use a point system. A birth certificate or a passport usually has the highest number of points, while driver's licenses usually rank second highest, with bank statements and utility notices the lowest.

Australia requires mandatory notification of data breaches that relate to personal data in a way that is likely to result in serious harm. The OAIC can assess fines for noncompliance up to $2.2 million Australian dollars ($1.6 million) (see: Australia Enacts Mandatory Breach Notification Law).

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.