DOCUMENTING HYBRID WARFARE / — incidents / UPDATED LATEST: 
Sabotage Watch SABOTAGEWATCHHybrid Threat Monitor
Cyber

Service NSW email compromise exposing up to 186,000 people

6 September 2020 · Sydney, Australia
Satellite Imagery © Esri

What happened

In March and April 2020, Service NSW, the New South Wales government's customer-service agency, was hit by a phishing campaign that compromised the email accounts of 47 staff members. According to the NSW Audit Office, the attackers sent emails impersonating Microsoft Office 365, directing employees to a fake login page that harvested their credentials. Service NSW had identified the absence of multi-factor authentication on webmail as a risk more than a year earlier but had not implemented it before the breach.

Forensic analysis found that roughly 738GB of data, comprising about 3.8 million documents, was accessed from the 47 mailboxes; around 500,000 of those documents contained personal information. Service NSW initially assessed that up to 186,000 customers were affected, a figure later revised down to approximately 104,000 after deeper investigation. Exposed material reportedly included driving licences, birth certificates, passports, police checks, bank account details, names and email addresses.

Service NSW disclosed the incident in 2020 and described it as a criminal attack. It notified affected individuals via registered post requiring photo ID, while NSW Police investigated and the NSW Auditor-General reviewed the agency's data handling. The December 2020 audit concluded Service NSW was "not effectively handling personal customer and business information," criticising practices such as routinely scanning and emailing personal documents.

Assessment

The available evidence frames this as a financially or opportunistically motivated criminal phishing operation against a poorly hardened email environment; there is no established attribution to any state actor, and reputable reporting does not link it to a foreign government. The case is notable less for sophistication than for the volume of sensitive identity documents accumulated in staff inboxes and the absence of basic controls like multi-factor authentication. It illustrates how routine government data-handling weaknesses can convert a single phishing wave into a mass exposure of citizens' personal information.

This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.