[BreachExchange] Australian Driver's Licenses Exposed on S3 Bucket

[Destry Winant]

https://www.databreachtoday.com/australian-drivers-licenses-exposed-on-s3-bucket-a-14918

Scans of 54,000 Australian driver's licenses were exposed in an open
Amazon Simple Storage Service, or S3, bucket, according to a security
researcher, but it's unclear if those affected will be notified.

The data was found by Bob Diachenko, who runs Security Discovery.
Diachenko frequently finds data publicly exposed in S3 buckets. A
screenshot of the some of the data indicates it may have been scanned
in 2018.

The exposure was closed shortly after Diachenko notified Australian
data breach expert Troy Hunt, who notified the Australian Cyber
Security Center. The exposure was first reported by iTNews.

Exposed S3 storage instances have long been a source of data breaches.
The instances are often misconfigured, which can result in the data
being exposed to the internet. Specialized search engines such as
Shodan can be used to find misconfigured buckets.

The Office of the Australian Information Commissioner, which oversees
data protection issues, says it's aware of a potential data breach
involving driver's licenses. If the organization that exposed the data
is covered by the Privacy Act, "they must notify the people who are
affected and the OAIC as quickly as possible," the office says.

"While we can't comment on the specifics, we would expect any
organization to act quickly to contain a data breach involving
personal information and assess the potential impact on those
affected," a spokesperson for the office says.

Data Exposed

The exposed data includes 108,535 scans of the fronts and backs of New
South Wales driver's licenses, which list birth dates, physical
addresses and driver's license numbers.

The data also includes completed documents called "statutory
declarations" in either .jpg or .pdf files. Motorists file those
declarations when they want to contest unpaid toll notifications, such
as if someone else was driving their vehicle at the time of the
violation.

Transport for NSW, a government agency, says it's investigating the
exposure along with Cyber Security NSW, which is the state's
cybersecurity agency.

"While it is always important for license holders to be privacy aware
when providing their sensitive personal information to other parties,
Transport for NSW recognizes that some third parties routinely request
driver license information as part of their business practices," the
agency says.

The NSW Information and Privacy Commission says it's aware of the
breach and has received a briefing from Cyber Security NSW.

"The privacy commissioner understands that a commercial business,
unconnected to the NSW government, was responsible for the breach,"
the commissioner says. "The breach is not associated with a NSW
government agency or any NSW government system or process."

The privacy commissioner did not identify the business involved, and
it remains unclear whether those affected will be notified. The state
of New South Wales uses at least one private contractor for electronic
toll payments. One such contractor is Linkt, which is part of the
company Transurban. A spokesman for Linkt says the company is aware of
the incident but it isn't responsible for the exposure.

A Call for Full Disclosure

Hunt, the creator of the Have I Been Pwned data breach notification
site, says the data is sensitive and the exposure needs to be
disclosed.

Troy Hunt

"There needs to be some sort of action one way or another," Hunt says.

Harvesting driver's license data in a breach such as this could result
in identity theft schemes. Transport for NSW says it can reissue
driver's licenses of those who are impacted by identity fraud on a
case-by-case basis.

When verifying someone is who they say they are, many Australian
government agencies use a point system. A birth certificate or a
passport usually has the highest number of points, while driver's
licenses usually rank second highest, with bank statements and utility
notices the lowest.

Australia requires mandatory notification of data breaches that relate
to personal data in a way that is likely to result in serious harm.
The OAIC can assess fines for noncompliance up to $2.2 million
Australian dollars ($1.6 million) (see: Australia Enacts Mandatory
Breach Notification Law).