A data leak containing 54,000 scanned New South Wales (NSW) driver’s licenses and various tolling notice statutory declarations were discovered by security researcher Bob Diachenko last week.
“More than 50K scanned driver licenses (front+back) and toll notices exposed in a misconfigured S3 bucket. Most likely – part of NSW RMS infrastructure (Road and Maritime, New South Wales, Australia). Secured now. No official response though,” Diachenko said in a tweet.
The leak contained 108,535 scanned images of the front and back of NSW driver’s licenses, exposing birth dates, home addresses and driver’s license numbers. Completed tolling notice statutory declarations were also found in a separate folder. These documents are filled in by drivers wishing to dispute unpaid toll notifications and include information such as full name, phone number, address and other details of the person driving the vehicle at the time of the toll violation.
“All the documents I observed were related to the NSW area and there was no indication as to who might be the owner of the data,” Diachenko said in a statement.
Immediately after the discovery, Diachenko contacted Australian cybersecurity researcher Troy Hunt, who alerted the Australian Cyber Security Centre.
The agency secured the server and is now working with the NSW Information and Privacy Commission to investigate the breach. However, the transport and roads agency in New South Wales (TfNSW) denies any liability for the leak, suggesting that an unspecified third-party service could be responsible.
“Initial information indicates the exposed AWS S3 bucket is not related to Transport for NSW or any government system,” TfNSW said. “While it is always important for licence holders to be privacy aware when providing their sensitive personal information to other parties, Transport for NSW recognises that some third parties routinely request driver licence information as part of their business practices.”
Even if there is no evidence of misuse, individuals with exposed driver’s licenses may still fall victim to identity theft schemes, which calls for full disclosure to potential victims. Reissuing licenses for drivers impacted by the breach could also be a solution for limiting any fraudulent attempts.