Defence, domestic violence shelter addresses among more than 500,000 ‘uploaded in error’
Sensitive business addresses among 500,000 published in COVID data breach
By Jonathan Kearsley and Clair Weaver
February 14, 2022 — 6.00pm
Save
Share
Normal text sizeLarger text sizeVery large text size
0
Leave a comment
For our free coronavirus pandemic coverage, learn more here.
Advertisement
The addresses of more than 500,000 organisations including defence sites, a missile maintenance unit and domestic violence shelters were inadvertently made public in the first major breach of the NSW government’s massive trove of QR code data.
Premier Dominic Perrottet said the information was uploaded in error and the bungle, which has alarmed privacy advocates and women’s safety advocates, “shouldn’t have happened”.
NSW Premier Dominic Perrottet says he was advised of “an issue” on Monday morning.
NSW Premier Dominic Perrottet says he was advised of “an issue” on Monday morning.CREDIT:JAMES ALCOCK
Cybersecurity experts have long warned the huge amount of data being collected by governments through QR code systems was vulnerable to security breaches, data fraud and hacking.
The locations, collected by the NSW Department of Customer Service when businesses and organisations registered as COVID-safe to access a QR code for staff and customers to check in, were discovered on a NSW data website in September by technology specialist Skeeve Stevens.
He alerted cyber experts who raised the alarm with the NSW government. It referred the matter to the privacy commissioner the following month and a spokesman said it was told it “did not constitute a privacy breach”.
RELATED ARTICLE
Customers queuing for Bungalow 8, King Street Wharf during happy hour.
Coronavirus pandemic
‘This must not be permanent’: Privacy experts sound alarm over QR codes
Mr Perrottet said he was advised of “an issue” on Monday morning.
“That was worked through [by the] privacy commissioner. My understanding is they were satisfied that the matter was resolved and that information was taken down. It shouldn’t have happened,” Mr Perrottet said.
The list of addresses included correctional facilities, critical infrastructure networks including power stations and tunnel entry sites as well as dozens of shelters and crisis accommodation centres for women across the state.
Advertisement
The NSW Department of Customer Service said it classed fewer than 1 per cent of the 566,318 locations as sensitive.
COVID-safe registration was open to all businesses, including those in other states and territories that had interests in NSW. Locations in Western Australia, Queensland, Victoria, South Australia and the ACT were also in the dataset seen by this masthead.
Play Video
Audit reveals QR code data kept longer than stated by government
Play video
1:42
Audit reveals QR code data kept longer than stated by government
The Auditor General's office in Adelaide has revealed QR code data has been stored longer than the six-month period advised by the state government.
“These businesses were all contacted by telephone and letter. No issues of concern were raised by any recipients,” a department spokesperson said.
A domestic violence victims’ support advocate said the leak “could be a matter of life and death”.
“If the government is really sharing information like this it can have serious consequences,” Women’s Safety NSW chief executive Hayley Foster said.
RELATED ARTICLE
Police have been accessing QR code check-in data in a bid to solve crimes.
Exclusive
Coronavirus pandemic
‘Breach of trust’: Police using QR check-in data to solve crimes
A notice on the NSW data website dated October 12, 2021, says: “The COVID Safe Businesses and Organisations dataset has been discontinued. We have identified issues with integrity of the data.”
Neither the department nor the government have explained what the “integrity” issue was.
A department spokesperson said it considered the security and privacy of customer information its highest priority.
“The list of COVID Safe businesses was publicly available online to ensure customers could plan activities while remaining COVID Safe,” it said. “Those registering were advised the Department of Customer Service may share de-identified information for research and statistical purposes.”
But Mr Stevens, who works in the security and intelligence space, said the database could have been used for “bad things” if the wrong people had got hold of it.
EDITOR'S PICK
cyberwafr explainer
Explainer
Cyber security
Hackers can stop the trains and the lights. But could they start a war?
“Some of the scary things we were searching [was] firearms, armoury, federal police and where storage locations were ... perhaps someone should’ve thought about what should and shouldn’t have been disclosed,” he said.
Civil libertarian Terry O’Gorman questioned why the information was made available in the first place and said if there had been a significant breach, the relevant state government department should be prosecuted.
“It just boggles the mind as to why there’s even a necessity to publish this sort of information,” he said.
By Jonathan Kearsley and Clair Weaver
February 14, 2022 — 6.00pm
Save
Share
Normal text sizeLarger text sizeVery large text size
0
Leave a comment
For our free coronavirus pandemic coverage, learn more here.
Advertisement
The addresses of more than 500,000 organisations including defence sites, a missile maintenance unit and domestic violence shelters were inadvertently made public in the first major breach of the NSW government’s massive trove of QR code data.
Premier Dominic Perrottet said the information was uploaded in error and the bungle, which has alarmed privacy advocates and women’s safety advocates, “shouldn’t have happened”.
NSW Premier Dominic Perrottet says he was advised of “an issue” on Monday morning.
NSW Premier Dominic Perrottet says he was advised of “an issue” on Monday morning.CREDIT:JAMES ALCOCK
Cybersecurity experts have long warned the huge amount of data being collected by governments through QR code systems was vulnerable to security breaches, data fraud and hacking.
The locations, collected by the NSW Department of Customer Service when businesses and organisations registered as COVID-safe to access a QR code for staff and customers to check in, were discovered on a NSW data website in September by technology specialist Skeeve Stevens.
He alerted cyber experts who raised the alarm with the NSW government. It referred the matter to the privacy commissioner the following month and a spokesman said it was told it “did not constitute a privacy breach”.
RELATED ARTICLE
Customers queuing for Bungalow 8, King Street Wharf during happy hour.
Coronavirus pandemic
‘This must not be permanent’: Privacy experts sound alarm over QR codes
Mr Perrottet said he was advised of “an issue” on Monday morning.
“That was worked through [by the] privacy commissioner. My understanding is they were satisfied that the matter was resolved and that information was taken down. It shouldn’t have happened,” Mr Perrottet said.
The list of addresses included correctional facilities, critical infrastructure networks including power stations and tunnel entry sites as well as dozens of shelters and crisis accommodation centres for women across the state.
Advertisement
The NSW Department of Customer Service said it classed fewer than 1 per cent of the 566,318 locations as sensitive.
COVID-safe registration was open to all businesses, including those in other states and territories that had interests in NSW. Locations in Western Australia, Queensland, Victoria, South Australia and the ACT were also in the dataset seen by this masthead.
Play Video
Audit reveals QR code data kept longer than stated by government
Play video
1:42
Audit reveals QR code data kept longer than stated by government
The Auditor General's office in Adelaide has revealed QR code data has been stored longer than the six-month period advised by the state government.
“These businesses were all contacted by telephone and letter. No issues of concern were raised by any recipients,” a department spokesperson said.
A domestic violence victims’ support advocate said the leak “could be a matter of life and death”.
“If the government is really sharing information like this it can have serious consequences,” Women’s Safety NSW chief executive Hayley Foster said.
RELATED ARTICLE
Police have been accessing QR code check-in data in a bid to solve crimes.
Exclusive
Coronavirus pandemic
‘Breach of trust’: Police using QR check-in data to solve crimes
A notice on the NSW data website dated October 12, 2021, says: “The COVID Safe Businesses and Organisations dataset has been discontinued. We have identified issues with integrity of the data.”
Neither the department nor the government have explained what the “integrity” issue was.
A department spokesperson said it considered the security and privacy of customer information its highest priority.
“The list of COVID Safe businesses was publicly available online to ensure customers could plan activities while remaining COVID Safe,” it said. “Those registering were advised the Department of Customer Service may share de-identified information for research and statistical purposes.”
But Mr Stevens, who works in the security and intelligence space, said the database could have been used for “bad things” if the wrong people had got hold of it.
EDITOR'S PICK
cyberwafr explainer
Explainer
Cyber security
Hackers can stop the trains and the lights. But could they start a war?
“Some of the scary things we were searching [was] firearms, armoury, federal police and where storage locations were ... perhaps someone should’ve thought about what should and shouldn’t have been disclosed,” he said.
Civil libertarian Terry O’Gorman questioned why the information was made available in the first place and said if there had been a significant breach, the relevant state government department should be prosecuted.
“It just boggles the mind as to why there’s even a necessity to publish this sort of information,” he said.
