Transport for NSW

Over 54,000 scanned NSW driver's licences were discovered in an unsecured AWS S3 cloud storage bucket, though the source and responsible party remained unclear for months, with affected individuals not contacted for over four months.

What Happened

Security researcher Bob Diachenko discovered an open AWS S3 storage bucket containing scanned images of 54,175 NSW driver's licences. The bucket was publicly accessible without authentication, meaning anyone with the URL could view and download the licence images.

The scanned licences included full names, addresses, dates of birth, licence numbers, and photographs—all the information needed for identity theft. The origin of the data remained mysterious, with suggestions it may have come from a fleet management company, toll road operator, or other entity that collected licence scans for verification purposes.

Critically, Transport for NSW and Service NSW took over four months to begin notifying affected individuals, despite the severity of the exposure.

Impact on Individuals

The exposure of driver's licence scans created severe identity theft risks. NSW driver's licences are a primary form of identification in Australia, accepted for opening bank accounts, applying for credit, and accessing government services. Victims faced risks of fraudulent identity document creation and identity crime.

Organisational Response

The response was criticised as inadequate, with significant delays in notification and unclear accountability. The incident raised questions about third-party data handling practices and the lack of visibility government agencies have over where citizens' identity documents end up. The delayed notification meant affected individuals were unaware of their risk exposure for an extended period.