The target: Service New South Wales, an Australian government agency.
The take: 3.8 million combined records from a total of 186,000 customers. Data stolen included: names, home addresses, scans of handwritten notes, applications forms, and records of transactions.
The attack vector: Attackers gained access to NSW’s systems through a targeted phishing attack against an employee. These credentials were compromised when the employee clicked on a suspicious link, leading to unauthorized access of 47 Service NSW staff member’s email accounts.
The highly sensitive information stolen presents a clear risk of identity theft and further scams against the affected customers. Training and teaching around phishing attacks are of critical importance for every firm. Knowing how to recognize an attack and what to do are key takeaways from this incident.