A shocking data breach has resulted in 500,000 QR code check-in addresses being leaked to a public website where the data could be searched and viewed.
The data involved 566,318 locations collected by the NSW Customer Services Department in what has been labelled a ‘massive and dangerous’ violation of trust.
Addresses were not limited to NSW, and included other states and territories if those businesses or the parent organisation had registered with the government to comply with mandated Covid-Safe procedures.
Some of this data included the location of domestic violence shelters, secrete defence installations – including a missile maintenance unit – power stations, tunnel locations, and private addresses. Pretty much anywhere that people were required to check in to track Covid – which was everywhere.
It is such a serious event that lawyers have called to prosecute the government department.
NSW Premier Dominic Perrottet has admitted that his state government is to blame for the unthinkable mistake, saying that the list was ‘uploaded in error’.
If nothing else, it is a lesson about the dangers of data and the blind faith that the government has asked citizens to have in its handling of information.
The government is set to introduce its controversial Trusted Digital Identity Bill shortly which will collect, collate, and share a frightening level of personal information about citizens. A leak or act of human error in this system would be a concern for the safety of citizen identity far greater than the NSW data error.
Perrottet said that he was only told about last year’s QR data leak on Monday, even though it happened in 2021. It has been referred to the Privacy Commissioner, but the real question is how a failure of security on this scale could be made without anybody noticing.
“That was worked through [the] Privacy Commissioner. My understanding is they were satisfied that the matter was resolved and that information was taken down. It shouldn’t have happened,” added Perrottet.
The government did not recognise its error, rather a technology security specialist by the name of Skeeve Stevens noticed that the data was publicly available and alerted experts who then went on to officially notify the government that they had a serious data security issue.
While the data was online, any one could have accessed it – including domestic abuses and foreign governments which is of particularly concern to the now-public military installations.
“Some of the scary things we were searching – firearms, armoury, federal police and where storage locations were – perhaps someone should've thought about what should and shouldn't have been disclosed,” said Mr Stevens.