Transport for NSW was one of several targets around the world in a “very, very serious” hacking attack, state Transport Minister Andrew Constance has revealed.
In December 2020, businesses and government agencies, including the NSW transport and health agencies, were affected by an attack on California-based company Accellion.
Mr Constance told a budget estimates hearing on Thursday the hackers had accessed “a lot of documentation” from Transport for NSW.
The agency has issued a statement warning that citizens might be affected and urging everyone who think they might have been contacted by a scammer to get in touch with Transport for NSW.
“Scammers may try to capitalise on these events,” the statement said.
“Customers should not respond to unsolicited phone calls, emails or text messages from anyone claiming to be Transport for NSW related to any security matter.”
NSW Health was also affected by the hack, Cyber Security NSW has said.
“It isn’t some teenagers sitting in a basement somewhere, this is actually a very serious attack in the nature of what has occurred,” Mr Constance said.
“There has been, unfortunately, a lot of documentation that has been (accessed). The bottom line is, it’s very serious what has been accessed.”
The hackers targeted an Accellion file-transfer service that Transport for NSW had hired to store files.
Other Accellion clients affected included the Reserve Bank of New Zealand and the auditor in the US state of Washington, as well as a prominent law firm and a pharmacy chain, according to the Associated Press.
The Australian Securities and Investments Commission has also said it was targeted.
Transport for NSW said an active investigation is underway.
Driver’s licence databases, opal cards and medical records were not affected, Cyber Security NSW said.
The agency said in a statement it “was first made aware of the Accellion vulnerabilities in January and with NSW Police, established Strike Force Martine to investigate the impacts of the breach on the NSW Government”.
Mr Constance said he had been briefed in his capacity as minister but that he would “let the professionals do their work”.
“This is a very, very serious breach and we can’t understate that,” he said.
It comes after a top NSW bureaucrat revealed that up to 30,000 state residents still haven’t been informed their private information was compromised in a separate hacking incident last year that targeted Service NSW.