The government of New South Wales (NSW) has admitted to a data breach that exposed more than 500,000 addresses via a government website.
According to 9News, the NSW Customer Services Department acquired hundreds of thousands of locations through its QR code registration system before making them public on a government website.
The locations belonged to firms that were registered as COVID-safe businesses, which was an option offered to all NSW businesses as well as those from other jurisdictions with interests in NSW.
Skeeve Stevens, a technology specialist in the security and intelligence space who spotted the dataset in September and stated he notified cyber security professionals, who then informed the government. Defence sites, missile maintenance facilities, domestic violence shelters, essential infrastructure networks, and correctional facilities were among the targets. Locations in Western Australia, Victoria, Queensland, South Australia, and the Australian Capital Territory were also included in the database.
Last October, the government forwarded the matter to the privacy commissioner, who determined that the incident did not constitute a privacy breach. The issue was brought to the attention of NSW Premier Dominic Perrottet this week, and he admitted that the material had been posted incorrectly.
Perrottet stated, "That was worked through [the] privacy commissioner. My understanding is they were satisfied that the matter was resolved and that information was taken down. It shouldn't have happened."
According to 9News, the NSW Department of Customer Services classified fewer than 1% of the 566,318 locations as sensitive.
A department spokesperson stated, "These businesses were all contacted by telephone and letter. No issues of concern were raised by any recipients."
The COVID-Safe Businesses and Organization dataset has been withdrawn, according to a notice on the NSW data website dated 12 October 2021. “We have identified issues with the integrity of the data with the recent increase in volume of registrations. We apologise for any inconvenience,” stated the notice, without revealing what the issue was.
Last weekend, a marketing stunt by Coinbase used QR codes to bring potential consumers to its site, prompting experts to debate whether they pose a true cyber security danger. Some experts believe they shouldn't be trusted because of the risk of being hijacked by cyber thieves, while others believe the fear around the technology is exaggerated and the real-world threat is minimal.