Hackers Steal a ‘Very Large’ Batch of Private Data from Australia’s Disability Scheme

Hackers have obtained and published part of a “very large” batch of medical records and other sensitive information belonging to participants of Australia’s National Disability Insurance Scheme after breaching the scheme’s client management software last month.

The platform that fell victim to the breach is an Australian software provider called CTARS, and provides client management services to NDIS providers as well as the people living with disabilities they support. 

A spokesperson for the company told VICE that staff became aware of the breach on May 15, before a sample of the data was bragged about on a ‘deep web’ forum.

As it stands, the breach has only affected NDIS participants whose providers use CTARS—not all participants of the scheme—who the company says can expect to be notified if their data has been compromised.

“In the interests of the privacy of our customers’ clients and staff, and to reduce the risk of attempts by scammers to target our customers, we are not releasing details of the number of people who may have been impacted,” the spokesman said.

The scope of the details lifted from the platform have been described by some privacy advocates as “galling”. Among them are understood to be Medicare numbers, Tax File Numbers and “more than enough” to commit credit card fraud. So far, attempts to offer help to those impacted have been limited.

 In the short term, though, the team at CTARS say they have engaged external cyber-security and forensic specialists to contain the hack.

The National Disability Insurance Agency, the federal agency tasked with administering Australia’s disability scheme, told VICE through a spokesperson that it has been working with CTARS since the hack and that it takes the protection of participant data and information security “extremely seriously”.

In response to questions about what the NDIA was doing to offer support and recourse to those who think they might have been affected, the agency deferred to the CTARS website, which has set up a community service support centre courtesy of Australia’s national identity and cybersecurity community support service.

The incident has since been reported to both the Office of the Australian Information Commissioner, and the Australian Cyber Security Centre (ACSC). Digital rights advocates, though, said the breach comes to illustrate broader issues with the way the harmful mass publication of sensitive information like this are handled in Australia. 

“I think it's important to highlight that we're not talking about some kind of abstract harm here—this kind of data breach puts vulnerable people at serious risk of identity theft, fraud, and scams,” Samantha Floreani, a program lead at Digital Rights Watch Australia, told VICE. 

“On top of that, finding out that your sensitive information may be on the dark web is very distressing and, frankly, super burdensome to have to navigate a long list of administrative tasks to protect yourself once you suspect your personal information may have been compromised.”

She said it’s worth noting that the NDIA and CTARS have likely done all that’s legally required of them. The trouble is, she said, that the law isn’t strong enough. 

“This is not just an NDIA problem—breaches happen alarmingly often, both by government agencies and their contracted service providers. But when it happens, there is currently very little legal recourse available for people who have been affected,” Floreani said. 

“We need a statutory tort for serious breach of privacy so that people have the ability to exercise their rights and hold entities accountable. This proposal isn't new, it's been around for almost ten years,” she said.

Floreani isn’t alone in calling for it. The inclusion of a statutory tort—a legislative provision that would give victims of privacy breaches like this an avenue to claim a remedy or damages of some sort—has become central to sweeping discussion of Australia’s ongoing review of the Privacy Act. 

Failing to offer some of Australia’s most vulnerable communities legal recourse after falling victim to a hack of this volume only adds evidence to a mounting pile.

“What I see when I look at the news of this breach, aside from the immense potential harm to NDIS participants, is the ongoing failure of our government to take privacy seriously,” said Floreani, “and to create real, meaningful protections for our rights.”

Follow John on Twitter.

Read more from VICE Australia.