The addresses of more than 500,000 organisations including defence sites, a missile maintenance unit and domestic violence shelters were inadvertently made public in the first major breach of the NSW government’s massive trove of QR code data.
Premier Dominic Perrottet said the information was uploaded in error and the bungle, which has alarmed privacy advocates and women’s safety advocates, “shouldn’t have happened”.
Cybersecurity experts have long warned the huge amount of data being collected by governments through QR code systems were vulnerable to security breaches, data fraud and hacking.
The locations, collected by the NSW Department of Customer Service when businesses and organisations registered as COVID-safe to access a QR code for staff and customers to check-in, were discovered on an NSW data website in September by technology specialist Skeeve Stevens.
He alerted cyber experts who raised the alarm with the NSW government. It referred the matter to the privacy commissioner the following month and a spokesman said it was told it “did not constitute a privacy breach”.
Mr Perrottet said he was advised of “an issue” on Monday morning.
“That was worked through [by the] privacy commissioner. My understanding is they were satisfied that the matter was resolved and that information was taken down. It shouldn’t have happened,”
Mr Perrottet said.
The list of addresses included correctional facilities, critical infrastructure networks including power stations and tunnel entry sites as well as dozens of shelters and crisis accommodation centres for women across the state.
The NSW Department of Customer Service said it classed fewer than 1 per cent of the 566,318 locations as sensitive.
COVID-safe registration was open to all businesses, including those in other states and territories that had interests in NSW. Locations in Western Australia, Queensland, Victoria, South Australia and the ACT were also in the dataset seen by this masthead.
“These businesses were all contacted by telephone and letter. No issues of concern were raised by any recipients,”
a department spokesperson said.
A domestic violence victims’ support advocate said the leak
“could be a matter of life and death”.
“If the government is really sharing information like this it can have serious consequences,”
Full Stop Australia chief executive Hayley Foster said.
A notice on the NSW data website dated October 12, 2021, says:
“The COVID Safe Businesses and Organisations dataset has been discontinued. We have identified issues with integrity of the data.”
Neither the department nor the government has explained what the “integrity” issue was.
A department spokesperson said it considered the security and privacy of customer information its highest priority.
“The list of COVID Safe businesses was publicly available online to ensure customers could plan activities while remaining COVID Safe,” it said. “Those registering were advised the Department of Customer Service may share de-identified information for research and statistical purposes.”
But Mr Stevens, who works in the security and intelligence space, said the database could have been used for “bad things” if the wrong people had got hold of it.
“Some of the scary things we were searching [was] firearms, armoury, federal police and where storage locations were ... perhaps someone should’ve thought about what should and shouldn’t have been disclosed,” he said.
Civil libertarian Terry O’Gorman questioned why the information was made available in the first place and said if there had been a significant breach, the relevant state government department should be prosecuted.
“It just boggles the mind as to why there’s even a necessity to publish this sort of information,”
he said.
Source:
Comments