NSW QR Code data breach involving publication of 500,000 addresses on state government website..a recurring problem for state and local government bodies
February 23, 2022 |
The SMH reports that there has been a data breach by NSW Department of Consumer Service in the publication of 500,000 addresses on a government website. According to the NSW Government the NSW information Commissioner was advised the day after it became aware of the information being in the public domain and that the Commissioner stated that this did not constitute a privacy breach. That story is based on a Nine News expose. As is the way the embarrassment of the breach is compounded by the negative coverage, going as far as the UK.
If there is some humour to be found in this all too familiar type of breach it is that NSW legislated to ban police from accessing QR code check in data in November last year.
The SMH article provides:
The NSW opposition is calling for the privacy commissioner to conduct a fresh inquiry into a breach of COVID-19 QR code data by the state government.
Nine News revealed on Monday more than 500,000 addresses including those of domestic violence shelters and defence sites were inadvertently published on a state government website.
The data, collected by the NSW Department of Customer Service when organisations registered as COVID Safe, was discovered online in September by a technology specialist.
The NSW government has said it informed the privacy commissioner a day after it was notified that sensitive information was in the public domain, and it was taken down.
While the government said the commissioner “determined the incident did not constitute a privacy breach”, opposition customer service spokesperson Yasmin Catley said on Tuesday there should be another review, describing the blunder as a “real critical incident”.
“This is a government who is breaching its relationship and its confidence with the community,” Ms Catley said. “They need to tell us who knew what, when and why the Premier himself was not aware of this very significant breach.”
Premier Dominic Perrottet said on Monday he was made aware of the issue that morning and the bungle “shouldn’t have happened”.
State Opposition Leader Chris Minns said it was “completely unacceptable for the NSW Premier not to be told about it”.
“If I were him, I’d be demanding to know how there’s a major data breach,” he said.The Department of Customer Service has said it “considers the security and privacy of customer information its highest priority”.
COVID Safe registration was open to all businesses, including those in other states and territories that had interests in NSW. Addresses of organisations in Western Australia, Queensland, Victoria, South Australia and the ACT were also in the dataset inadvertently made public.
The department has said less than 1 per cent of the 566,318 addresses were “identified as potentially sensitive”.