This appeared last week:
Massive QR breach from NSW Government exposes 500,000 addresses
More than 500,000 addresses were leaked in a NSW Government QR code bungle, with the Premier acknowledging it “shouldn’t have happened”.
February 15, 2022 - 6:54AM
More than 500,000 addresses – including those of defence sites, domestic violence shelters and a missile maintenance unit – in a massive NSW Government QR code bungle.
The hundreds of thousands of locations were collected by the NSW Customer Services Department through its QR code registration system, having registered as wanting to comply with Covid-Safe directions.
The dataset was then accidentally made public through a government website, 9News reports.
The NSW Government told the network it referred the matter to the Privacy Commissioner in October last year, and was told “the incident did not constitute a privacy breach”.
Premier Dominic Perrottet said he was advised of “an issue” on Monday morning and said the information had been “uploaded in error”.
“That was worked through [with the] Privacy Commissioner. My understanding is they were satisfied that the matter was resolved and that information was taken down,” Mr Perrottet told 9.
“It shouldn’t have happened.”
Less than one per cent of the 566,318 locations – which included places in Queensland, Victoria, South Australia, the ACT and Western Australia – were classed as sensitive, the NSW Department of Customer Services said.
“These businesses were all contacted by telephone and letter. No issues of concern were raised by any recipients,” a department spokesperson said.
More here:
There is also coverage here:
Sensitive business addresses among 500,000 published in COVID data breach
By Jonathan Kearsley and Clair Weaver
February 14, 2022 — 7.00pm
The addresses of more than 500,000 organisations including defence sites, a missile maintenance unit and domestic violence shelters were inadvertently made public in the first major breach of the NSW government’s massive trove of QR code data.
Premier Dominic Perrottet said the information was uploaded in error and the bungle, which has alarmed privacy advocates and women’s safety advocates, “shouldn’t have happened”.
Cybersecurity experts have long warned the huge amount of data being collected by governments through QR code systems was vulnerable to security breaches, data fraud and hacking.
The locations, collected by the NSW Department of Customer Service when businesses and organisations registered as COVID-safe to access a QR code for staff and customers to check in, were discovered on a NSW data website in September by technology specialist Skeeve Stevens.
He alerted cyber experts who raised the alarm with the NSW government. It referred the matter to the privacy commissioner the following month and a spokesman said it was told it “did not constitute a privacy breach”.
Mr Perrottet said he was advised of “an issue” on Monday morning.
“That was worked through [by the] privacy commissioner. My understanding is they were satisfied that the matter was resolved and that information was taken down. It shouldn’t have happened,” Mr Perrottet said.
The list of addresses included correctional facilities, critical infrastructure networks including power stations and tunnel entry sites as well as dozens of shelters and crisis accommodation centres for women across the state.
The NSW Department of Customer Service said it classed fewer than 1 per cent of the 566,318 locations as sensitive.
More here:
Talk about a silly and unnecessary data leak that allowed the addresses of all sorts of sensitive organisations to be made accessible and potentially used for all sorts of nefarious purposes!
Just who would think putting this list on the web would be a good idea one wonders….
What other lists might some other neophyte think would be good to be made public.
Service NSW has a Privacy Policy which you can see here:
https://www.service.nsw.gov.au/privacy-statement
The problem with what happened this time seems to be that the information was not clearly ‘personal information’ while in fact making such sensitive organisational addresses available could have direct personal consequences if discovered and used.
It was not obvious, from what I could see, if there was policy to cover such secondary issues. What is needed is a more general policy that says ‘you think through all the risks before data is published’ with a bias towards public safety if in any doubt!
Bottom line is that we need excellent stewardship of all data sets collected by Government and real consequences for those who let information wander that may be harmful. Another incidence of ‘common sense’ not being a common as we all might like. And let’s not even start of data protection, security and de-identification and the traps that exist there!
Must do better is the mantra I believe!
David.
No comments:
Post a Comment