🔒breach.co.nz · the NZ & Australia breach register 🛡️ A Govern service
Register › 🇦🇺 AU › Government

Service NSW

🇦🇺 New South Wales · Service NSW · Record AU-2020-0064
● Confirmed
People affected
104,000 (approx)
Breach date
2020-04
Regulator
NSW Auditor-General / IPC NSW
Trust tier
A · Confirmed

Data exposed

Personal information contained in staff email accounts (~3.8M documents) Media-reported

Confidence: Confirmed = regulator/court · Company-confirmed = the organisation's own disclosure · Media-reported = press. Figures without an official source are labelled, not estimated.

What happened

In March–April 2020 a phishing attack compromised 47 Service NSW staff email accounts, exposing personal information belonging to around 104,000 customers held within those mailboxes [servicensw]. The NSW Auditor-General later examined the agency’s handling of the incident.

Timeline

  • 2020-04 — Staff email accounts compromised via phishing [servicensw].
  • 2020-09 — Public disclosure; ~104,000 customers affected [servicensw].

Current status

Resolved, with remediation and an Auditor-General review. [servicensw]

Why it matters

A reminder that a handful of phished mailboxes can expose large volumes of citizens’ data held in everyday email.