Service NSW has settled on the secure data transfer application that will replace email for sharing sensitive personal information at service centres following a phishing attack last year. The solution has been rolled out to almost half of all service centres across the state after being developed in-house by the one-stop shop for NSW government services. It will allow frontline staff to transfer information to other government agencies such as NSW Births, Deaths and Marriages and NSW Fair Trading.
The need for such a solution became extremely apparent in March 2020, when an email compromise attack against 47 Service NSW staff members exposed the personal information of 103,000 customers. Roughly 3.8 million documents, including handwritten notes, scans of driver’s licences and records of transactions, were stolen in an incident that has now cost over $25 million to amend.
In the absence of alternative methods of information sharing, service centre staff would routinely transfer documents containing personal information to staff in other NSW government agencies using email, a practice that Service NSW itself identified as a risk at least a year prior.
When answering questions on notice from budget estimates, Service NSW last month revealed it had begun the process of rolling out a new transfer solution to its service centre network. A spokesperson stated that following an assessment of “several delivery options” following the six-month pilot, the agency selected a solution that was developed in-house and built on a stack by an American software and I&T company.
The solution has been developed by a dedicated Service NSW team, the spokesperson said. Its solution provides an improved method to protect customer information and replaces the use of email to transfer scanned documents.
At present, 48 service centres across the state have begun using the solution, all but four of which went live in the past month. The first four service centres – which were involved in the six-month pilot – used the solution to transfer information to Department of Customer Service partner agencies for 280 transactions.
It was noted that the full network rollout to all 107 service centres is expected to be completed by January. Since the email compromise attack, Service NSW has also introduced controls to automatically delete emails that are more than 60 days old. Earlier this year, the Service NSW CEO said this had singlehandedly reduced the number of emails in mailboxes by 92% since June 2020.
Service NSW also introduced multi-factor authentication across almost all of its externally-facing IT systems in the wake of last year’s phishing attack that exposed 736GB of data. After bringing MFA to email shortly after the March 2020 data breach, the CEO said the agency had now enabled the feature on all but 5%of externally-facing systems. It follows funding to the tune of $5 million in last year’s state budget for cyber security upgrades at the one-stop shop for NSW government services.
Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is).
MFA protects user data – this may include personal identification or financial assets – from being accessed by an unauthorised third party that may have been able to discover, for example, a single password. A third-party authenticator (TPA) app enables two-factor authentication, usually by showing a randomly generated and frequently changing code to use for authentication.