Australian Driver's Licenses Exposed on S3 BucketIt's Unclear Who Owns the Data and If Those Affected Will Be Notified
Scans of 54,000 Australian driver's licenses were exposed in an open Amazon Simple Storage Service, or S3, bucket, according to a security researcher, but it's unclear if those affected will be notified.
The data was found by Bob Diachenko, who runs Security Discovery. Diachenko frequently finds data publicly exposed in S3 buckets. A screenshot of the some of the data indicates it may have been scanned in 2018.
More than 50K scanned driver licenses (front+back) and toll notices exposed in a misconfigured S3 bucket. Most likely - part of NSW RMS infrastructure (Road and Maritime, New South Wales, Australia). Secured now. No official response though. Thanks to @troyhunt for assistance. pic.twitter.com/FRTQ5GEEJE— Bob Diachenko (@MayhemDayOne) August 26, 2020
Exposed S3 storage instances have long been a source of data breaches. The instances are often misconfigured, which can result in the data being exposed to the internet. Specialized search engines such as Shodan can be used to find misconfigured buckets.
The Office of the Australian Information Commissioner, which oversees data protection issues, says it's aware of a potential data breach involving driver's licenses. If the organization that exposed the data is covered by the Privacy Act, "they must notify the people who are affected and the OAIC as quickly as possible," the office says.
"While we can't comment on the specifics, we would expect any organization to act quickly to contain a data breach involving personal information and assess the potential impact on those affected," a spokesperson for the office says.
The exposed data includes 108,535 scans of the fronts and backs of New South Wales driver's licenses, which list birth dates, physical addresses and driver's license numbers.
The data also includes completed documents called "statutory declarations" in either .jpg or .pdf files. Motorists file those declarations when they want to contest unpaid toll notifications, such as if someone else was driving their vehicle at the time of the violation.
Transport for NSW, a government agency, says it's investigating the exposure along with Cyber Security NSW, which is the state's cybersecurity agency.
"While it is always important for license holders to be privacy aware when providing their sensitive personal information to other parties, Transport for NSW recognizes that some third parties routinely request driver license information as part of their business practices," the agency says.
The NSW Information and Privacy Commission says it's aware of the breach and has received a briefing from Cyber Security NSW.
"The privacy commissioner understands that a commercial business, unconnected to the NSW government, was responsible for the breach," the commissioner says. "The breach is not associated with a NSW government agency or any NSW government system or process."
The privacy commissioner did not identify the business involved, and it remains unclear whether those affected will be notified. The state of New South Wales uses at least one private contractor for electronic toll payments. One such contractor is Linkt, which is part of the company Transurban. A spokesman for Linkt says the company is aware of the incident but it isn't responsible for the exposure.
A Call for Full Disclosure
Hunt, the creator of the Have I Been Pwned data breach notification site, says the data is sensitive and the exposure needs to be disclosed.
"There needs to be some sort of action one way or another," Hunt says.
Harvesting driver's license data in a breach such as this could result in identity theft schemes. Transport for NSW says it can reissue driver's licenses of those who are impacted by identity fraud on a case-by-case basis.
When verifying someone is who they say they are, many Australian government agencies use a point system. A birth certificate or a passport usually has the highest number of points, while driver's licenses usually rank second highest, with bank statements and utility notices the lowest.
Australia requires mandatory notification of data breaches that relate to personal data in a way that is likely to result in serious harm. The OAIC can assess fines for noncompliance up to $2.2 million Australian dollars ($1.6 million) (see: Australia Enacts Mandatory Breach Notification Law).