IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

NSW government database leaks more than 500,000 addresses

The Australian state’s premier has admitted the data breach "shouldn’t have happened”

The New South Wales (NSW) government has admitted to a data breach that saw more than 500,000 addresses leaked through a government website.

Hundreds of thousands of locations were collected by the NSW Customer Services Department through its QR code registration system before being made public through a government website, as reported by 9News.

The locations belonged to organisations that registered as a COVID-safe business, an option that was available to all NSW businesses, as well as those in other states that had interests in NSW.

The leak was discovered by whistleblower Skeeve Stevens who identified the dataset in September and said he alerted cyber security experts, who then told the government.

Locations included defence sites, missile maintenance units, domestic violence shelters, critical infrastructure networks, and correctional facilities. Also included in the database were locations in the states of Western Australia, Victoria, Queensland, South Australia and the Australian Capital Territory.

The government said it had referred the matter to the privacy commissioner last October and was told the incident didn’t constitute a privacy breach. NSW premier Dominic Perrottet said he was advised of the issue this week, admitting that the information had been uploaded in error.

Related Resource

Vulnerability and patch management

Keep known vulnerabilities out of your IT infrastructure

Whitepaper cover with dark red smoke-like graphic on black backgroundFree Download

"That was worked through [the] privacy commissioner. My understanding is they were satisfied that the matter was resolved and that information was taken down. It shouldn't have happened," said Perrottet.

A spokesperson from the Department of Customer Service told IT Pro that a decision was made to publish a list of registered COVID-Safe businesses and that it stands by that decision. The spokesperson added that the issue wasn't related to QR code data, and that at no time were personal details published or QR code data of any kind.

"In a small number of cases, those businesses who self-registered were of a sensitive nature. In hindsight, their addresses should not have been published. These workplaces were subsequently contacted and the details of all businesses were removed," said the spokesperson.

The NSW Department of Customer Services told 9News it classed less than 1% of the 566,318 locations as sensitive.

There is a notice on the NSW data website from 12 October 2021 stating that the COVID-Safe Businesses and Organisation dataset has been discontinued. “We have identified issues with the integrity of the data with the recent increase in volume of registrations. We apologise for any inconvenience,” said the notice, without revealing what the issue was.

QR codes have caused experts to discuss whether they present a genuine cyber security threat, including last weekend when a marketing stunt from Coinbase used QR codes to drive potential customers to its site. Some experts said that they shouldn’t be fully trusted due to the potential for hijacking by cyber criminals, while others said that the concern around the technology is overblown and the real-world threat is relatively low.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

India to roll out 6G by end of decade
Network & Internet

India to roll out 6G by end of decade

18 May 2022
Data centres that switch from HDDs to SSDs use 70% less power
data centres

Data centres that switch from HDDs to SSDs use 70% less power

16 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022
Australia pledges $5 million to create tech skills passport
Careers & training

Australia pledges $5 million to create tech skills passport

11 May 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022