NSW data breach sees more than 500,000 QR code check-in addresses published
The NSW opposition is calling for the privacy commissioner to conduct a fresh inquiry into a breach of COVID-19 QR code data by the state government.
Nine News revealed on Monday more than 500,000 addresses including those of domestic violence shelters and defence sites were inadvertently published on a state government website.
The data, collected by the NSW Department of Customer Service when organisations registered as COVID Safe, was discovered online in September by a technology specialist.
The NSW government has said it informed the privacy commissioner a day after it was notified that sensitive information was in the public domain, and it was taken down.
While the government said the commissioner “determined the incident did not constitute a privacy breach”, opposition customer service spokesperson Yasmin Catley said on Tuesday there should be another review, describing the blunder as a “real critical incident”.
“This is a government who is breaching its relationship and its confidence with the community,” Ms Catley said. “They need to tell us who knew what, when and why the Premier himself was not aware of this very significant breach.”
Premier Dominic Perrottet said on Monday he was made aware of the issue that morning and the bungle “shouldn’t have happened”.
State Opposition Leader Chris Minns said it was “completely unacceptable for the NSW Premier not to be told about it”.
“If I were him, I’d be demanding to know how there’s a major data breach,” he said.
The Department of Customer Service has said it “considers the security and privacy of customer information its highest priority”.
COVID Safe registration was open to all businesses, including those in other states and territories that had interests in NSW. Addresses of organisations in Western Australia, Queensland, Victoria, South Australia and the ACT were also in the dataset inadvertently made public.
The department has said less than 1 per cent of the 566,318 addresses were “identified as potentially sensitive”.
QR breach exposes 500,000 NSW addresses
NSW Government QR code bungle sees addresses leaked with the Premier acknowledging it 'shouldn’t have happened'
A shocking data breach has resulted in 500,000 QR code check-in addresses being leaked to a public website where the data could be searched and viewed.
The data involved 566,318 locations collected by the NSW Customer Services Department in what has been labelled a ‘massive and dangerous’ violation of trust.
Addresses were not limited to NSW, and included other states and territories if those businesses or the parent organisation had registered with the government to comply with mandated Covid-Safe procedures.
Some of this data included the location of domestic violence shelters, secrete defence installations – including a missile maintenance unit – power stations, tunnel locations, and private addresses. Pretty much anywhere that people were required to check in to track Covid – which was everywhere.
It is such a serious event that lawyers have called to prosecute the government department.
NSW Premier Dominic Perrottet has admitted that his state government is to blame for the unthinkable mistake, saying that the list was ‘uploaded in error’.
If nothing else, it is a lesson about the dangers of data and the blind faith that the government has asked citizens to have in its handling of information.
The government is set to introduce its controversial Trusted Digital Identity Bill shortly which will collect, collate, and share a frightening level of personal information about citizens. A leak or act of human error in this system would be a concern for the safety of citizen identity far greater than the NSW data error.
Perrottet said that he was only told about last year’s QR data leak on Monday, even though it happened in 2021. It has been referred to the Privacy Commissioner, but the real question is how a failure of security on this scale could be made without anybody noticing.
“That was worked through [the] Privacy Commissioner. My understanding is they were satisfied that the matter was resolved and that information was taken down. It shouldn’t have happened,” added Perrottet.
The government did not recognise its error, rather a technology security specialist by the name of Skeeve Stevens noticed that the data was publicly available and alerted experts who then went on to officially notify the government that they had a serious data security issue.
While the data was online, any one could have accessed it – including domestic abuses and foreign governments which is of particularly concern to the now-public military installations.
“Some of the scary things we were searching – firearms, armoury, federal police and where storage locations were – perhaps someone should've thought about what should and shouldn't have been disclosed,” said Mr Stevens.
Massive and dangerous' data breach
More than 500,000 QR code check-in addresses published, including domestic violence shelters
- 566,318 location details collected through QR code system made public
- NSW Premier Dominic Perrottet said information was 'uploaded in error'
- Women's safety advocate said lives could have been put at risk by the leak
More than 500,000 QR code check-in addresses across Australia were leaked in a 'massive and dangerous' data breach for which the NSW government is to blame.
The system designed to help the public through the Covid-19 pandemic could now be putting Australians in danger as the leak has revealed the locations of domestic violence shelters, Defence sites and even a missile maintenance unit.
The list, which NSW Premier Dominic Perrottet said was 'uploaded in error' also included prisons, power stations and tunnel entry sites.
Though the leak happened last year, Mr Perrottet was only told about it on Monday.
In total, 566,318 location details collected by the NSW Customer Services Department through its QR code system were made public through a government website, 9News revealed.
Along with NSW locations, addresses in Western Australia, Queensland, Victoria, South Australia and the ACT were also included in the database, which registered businesses or organisations wanting to comply with Covid-Safe directions.
Registration was open to all businesses, including those in other states and territories which had interests in NSW.
'If there has been, as it appears on its face, to have been a significant breach, then (the) relevant state government department must be prosecuted,' lawyer and civil liberties advocate Terry O'Gorman said.
'Why did they make this information available in the first place? It just boggles the mind as to why there's even a necessity to publish this sort of information,' he said.
The leaking of the locations of dozens of crisis accommodation centres for women across NSW 'could be a matter of life and death', said a victims' support advocate.
'If government is really sharing information like this, it can have serious consequences,' Full Stop Australia chief executive Hayley Foster said.
Skeeve Stevens, a technology security specialist, saw the publicly available data in September and said he alerted cyber experts, who then told the NSW Government.
'If the wrong people got hold of this it could've been used for bad things,' he said.
'Some of the scary things we were searching - firearms, armoury, federal police and where storage locations were - perhaps someone should've thought about what should and shouldn't have been disclosed.'
A notice on the NSW data website dated October 12, 2021 says: 'The Covid Safe Businesses and Organisations dataset has been discontinued. We have identified issues with integrity of the data.'
But there was no explanation as to what the 'integrity' issue was.
Though the NSW Government said it referred the matter to the Privacy Commissioner in October, Mr Perrottet said he was not told about what he called 'an issue' with the database until Monday.
The Premier said the data had been 'uploaded in error'.
'That was worked through Privacy Commissioner. My understanding is they were satisfied that the matter was resolved and that information was taken down. It shouldn't have happened,' Mr Perrottet said.
The NSW Government said the Privacy Commissioner told it 'the incident did not constitute a privacy breach'.
The state's Department of Customer Service said it classed less than one per cent of the 566,318 locations as sensitive. One per cent amounts to 5,663 addresses.
'These businesses were all contacted by telephone and letter. No issues of concern were raised by any recipients,' a department spokesperson said.