Transport for NSW has confirmed its Authorised Inspection Scheme (AIS) online application was impacted by a cyber incident in early April.
The AIS authorises examiners to inspect vehicles to ensure a minimum safety standard. To become an authorised examiner, online applications need to be submitted and requires applicants to share personal details including their full name, address, phone number, email address, date of birth, and driver’s licence number.
According to Transport for NSW, the incident saw an unauthorised third-party successfully access a “small number” of the application’s user accounts.
“We recognise that data privacy is paramount and deeply regret that customers may be affected by this attack,” Transport for NSW said.
“Scammers may try to capitalise on these events. Customers should not respond to unsolicited phone calls, emails or text messages from anyone claiming to be from Transport for NSW related to any security matter.”
Transport for NSW said it is notifying affected examiners individually and will provide options to help them avoid further impacts from the incident.
Additionally, security measures have also been put in place, Transport for NSW assured and highlighted monitoring of the application continues.
This latest breach comes just over a year after Transport for NSW said it was being impacted by a cyber attack on a file transfer system owned by Accellion.
The Accellion system was widely used to share and store files by organisations around the world, including Transport for NSW.
At the end of last year, the state’s auditor-general Margaret Crawfound found none of NSW’s lead cluster agencies — including Transport — had implemented all Essential Eight controls, which was a cause for “significant concern”.
“Key elements to strengthen cybersecurity governance, controls, and culture are not sufficiently robust and not consistently applied. There has been insufficient progress to improve cyber security safeguards across NSW government agencies,” the auditor-general wrote in a compliance report [PDF] about the state’s cybersecurity capabilities.