The personal information of tens of thousands of New South Wales motorists may have been exposed in a mysterious online data leak and experts believe the source could be a fleet or toll road operator.
A folder containing 108,535 scanned images of more than 50,000 driver's licences, and another containing Roads and Maritime Services toll notice statutory declarations, was uncovered by Europe-based cyber threat consultant Bob Diachenko while he was investigating a separate data breach.
The PDF and JPG files, which were stored on a misconfigured Amazon cloud storage service, featured personal information such as phone numbers, addresses and birth dates – all of which were available for public view.
"More than 50K scanned driver licenses (front+back) and toll notices exposed in a misconfigured S3 bucket," Mr Diachenko wrote in a tweet, accompanied by a screenshot of a list of files dated from the year 2018.
"Most likely - part of NSW RMS infrastructure (Road and Maritime, New South Wales, Australia). Secured now."
More than 50K scanned driver licenses (front+back) and toll notices exposed in a misconfigured S3 bucket. Most likely - part of NSW RMS infrastructure (Road and Maritime, New South Wales, Australia). Secured now. No official response though. Thanks to @troyhunt for assistance. pic.twitter.com/FRTQ5GEEJE— Bob Diachenko (@MayhemDayOne) August 26, 2020
While the data has since been secured, the source of the uploaded files remains unknown and CarAdvice understands those affected by the breach are yet to be contacted.
However, a Transport for NSW spokesperson told CarAdvice the exposed data was "not related to Transport for NSW or any Government system".
"Transport for NSW does not retain, nor collect tolling data in the manner described," the spokesperson explained.
"Transport for NSW is however working with Cyber Security NSW to investigate the alleged data issue relating to an Amazon Web Services S3 bucket containing personal information including driver licences.
"While it is always important for licence holders to be privacy aware when providing their sensitive personal information to other parties, Transport for NSW recognises that some third parties routinely request driver licence information as part of their business practices.
"Transport for NSW’s policies and procedures recognise the need for case-by-case consideration for customers believed to be impacted by identity fraud and where necessary issues new driver licence/photo cards as appropriate."
Local security researcher Troy Hunt, who was the first person Mr Diachenko contacted when he uncovered the breach, said the data could have come from a wide range of sources, given many companies require a driver's licence as proof of identification.
However, Mr Hunt said, "the presence of toll notices [in the leak] is probably a bit of a clue and suggests it's more likely that it's a toll operator, or a fleet operator."
While the average layperson would have been unlikely to locate the exposed files, Mr Hunt said the nature of the breach was such that it would be "trivial" for anyone with a solid amount of technological knowledge to uncover.
"You don't have to be at Bob's level, but if you're someone who likes to crawl around the internet looking for this stuff [it would be possible] – I'm concerned about someone who makes a concerted effort to find it," Mr Hunt added.
Mr Hunt said he believes the public is owed an update regarding the source of the leaked data.
"It was open to public view which was obviously the concerning thing and it's unclear how long it was open for public view," he said.
"The thing I would like to see is disclosure of who it actually was because it's been almost two weeks since Bob contacted me, so this is obviously something which has been locked down and someone, somewhere knows what it is."