Up to 30,000 NSW residents do not know their private information was compromised in a massive hacking incident last year.

Service NSW chief Damon Rees has told a recent parliamentary inquiry into cybersecurity that only about 70 and 80 per cent of the 104,000 people whose data was compromised have been informed. 

“Not all of those individuals we’ve been able to identify have contact information available,” Mr Rees said.

“The method of notification in order to not generate risk for the public is registered person-to-person mail, which relies on us having a current, physical mailing address for the individual,” he said.

Service NSW has obtained a privacy law exemption from the Information and Privacy Commission to obtain mailing addresses from Transport NSW.

The NSW Auditor-General slammed the agency’s handling of personal data in a December 2020 special report, which found the hack had not changed the unsafe and outdated methods Service NSW uses to handle sensitive information.

Last week, Mr Rees also revealed that the agency still has not stopped its practice of emailing personal data to other agencies, which was part of what made the hack possible.

NSW Police say an investigation into the March 2020 hacking incident is ongoing.

Deputy Commissioner for Investigations and Counter Terrorism David Hudson said police now have a “fairly good handle” on what happened, but are waiting on the return of some information from the Australian Federal Police.

“We believe there was malicious intent, which would make it a cybercrime,” he said.

“Some data breaches are caused by human error. Certainly wasn't the case in this — it was malicious actors.”