NSW government database leaks more than 500,000 addresses
The Australian state’s premier has admitted the data breach "shouldn’t have happened”


The New South Wales (NSW) government has admitted to a data breach that saw more than 500,000 addresses leaked through a government website.
Hundreds of thousands of locations were collected by the NSW Customer Services Department through its QR code registration system before being made public through a government website, as reported by 9News.
The locations belonged to organisations that registered as a COVID-safe business, an option that was available to all NSW businesses, as well as those in other states that had interests in NSW.
The leak was discovered by whistleblower Skeeve Stevens who identified the dataset in September and said he alerted cyber security experts, who then told the government.
Locations included defence sites, missile maintenance units, domestic violence shelters, critical infrastructure networks, and correctional facilities. Also included in the database were locations in the states of Western Australia, Victoria, Queensland, South Australia and the Australian Capital Territory.
The government said it had referred the matter to the privacy commissioner last October and was told the incident didn’t constitute a privacy breach. NSW premier Dominic Perrottet said he was advised of the issue this week, admitting that the information had been uploaded in error.
RELATED RESOURCE
Vulnerability and patch management
Keep known vulnerabilities out of your IT infrastructure
"That was worked through [the] privacy commissioner. My understanding is they were satisfied that the matter was resolved and that information was taken down. It shouldn't have happened," said Perrottet.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
A spokesperson from the Department of Customer Service told IT Pro that a decision was made to publish a list of registered COVID-Safe businesses and that it stands by that decision. The spokesperson added that the issue wasn't related to QR code data, and that at no time were personal details published or QR code data of any kind.
"In a small number of cases, those businesses who self-registered were of a sensitive nature. In hindsight, their addresses should not have been published. These workplaces were subsequently contacted and the details of all businesses were removed," said the spokesperson.
The NSW Department of Customer Services told 9News it classed less than 1% of the 566,318 locations as sensitive.
There is a notice on the NSW data website from 12 October 2021 stating that the COVID-Safe Businesses and Organisation dataset has been discontinued. “We have identified issues with the integrity of the data with the recent increase in volume of registrations. We apologise for any inconvenience,” said the notice, without revealing what the issue was.
QR codes have caused experts to discuss whether they present a genuine cyber security threat, including last weekend when a marketing stunt from Coinbase used QR codes to drive potential customers to its site. Some experts said that they shouldn’t be fully trusted due to the potential for hijacking by cyber criminals, while others said that the concern around the technology is overblown and the real-world threat is relatively low.
Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.
-
Cleo attack victim list grows as Hertz confirms customer data stolen
News Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
By Ross Kelly
-
Lateral moves in tech: Why leaders should support employee mobility
In-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
By Keri Allan
-
Latitude Financial's data policies questioned after more than 14 million records stolen
News Some of the data is from at least 2005 and includes customers’ name, address, and date of birth
By Zach Marzouk
-
Latitude hack now under state investigation as customers struggle to protect their accounts
News The cyber attack has affected around 330,000 customers, although the company has said this is likely to increase
By Zach Marzouk
-
IDCARE: Meet the cyber security charity shaping Australia and New Zealand's data breach response
Case Studies IDCARE is recruiting a reserve army to turbocharge the fightback against cyber crime not just in the region, but in the interests of victims all over the world
By Zach Marzouk
-
Australia commits to establishing second national cyber security agency
News The country is still aiming to be the most cyber-secure country in the world by 2030
By Zach Marzouk
-
Medibank bleeds $26 million in cyber costs following hack
News The company believes this figure could rise to $45 million for the 2023 financial year
By Zach Marzouk
-
TikTok's two new European data centres to address data protection concerns
News The company is under pressure to prove its user data isn’t being accessed by the Chinese state
By Zach Marzouk
-
Cyber attack on Australia’s TPG Telecom affects 15,000 customers
News It is the third cyber attack on a major Australian telco since October
By Zach Marzouk
-
Telstra blames IT blunder for leak of 130,000 customer records
News Australia’s biggest telco said that the error was due to a mismanagement of databases and not a cyber attack
By Zach Marzouk