Leak of NDIS data involves ‘extremely volatile information’

Denham Sadler
National Affairs Editor

The “large volume” of data leaked onto the dark web following a breach of a third party NDIS client management system includes “extremely volatile information” that is as sensitive as it gets, according to cybersecurity expert Troy Hunt.

CTARS, a cloud-based client management system provider for NDIS, disability services, out of home care and children’s services, revealed this week that an unauthorised party had gained access to its systems on 15 May, and uploaded a sample of the compromised data to the dark web about a week later.

The company said it is unable to determine what data was compromised but that it likely includes sensitive health data including diagnoses, treatments and types of conditions.

Data breach expert and Have I Been Pwned founder Troy Hunt has analysed the breach and said that it is “extraordinarily bad” and involves the most sensitive data possible, including information on suicide attempts, mental health issues, drug use and sexual abuse.

“Particularly when we’re talking about vulnerable people, this is extremely volatile information and it’s horrendous to see it abused in this way,” Mr Hunt told InnovationAus.com.

“It’s just a terrible class of information to be disclosed this way. At the very least you’ve got peoples’ names and behaviours and medications, and certainly people could recognise themselves there and almost certainly other people could recognise them.”

Mr Hunt called on the NDIS to take responsibility for the breach, pointing to when there was a Red Cross blood service data breach involving a third party provider but which saw the CEO doing press releases and taking responsibility.

“Unfortunately the NDIS will have to bear the brunt of any public backlash…the accountability still stops at the NDIS,” Mr Hunt said.

“It is yet another reminder that once we digitise something we put it at much greater risk of disclosure.”

The NDIA noted that this incident did not involve a breach of its own system, but confirmed that some NDIS providers did use CTARS as part of their operations.

“Business decisions, including the use of software and data storage, are a matter for individual organisations. NDIS participants can be assured that the NDIA takes the protection of participant data and information security extremely seriously,” an NDIA spokesperson told InnovationAus.com.

“Individual providers are responsible for their own business systems. The NDIA does not directly engage with this organisation.”

The spokesperson said that participants should contact CTARS about the breach, and they can also access free support from IDCARE.

The breach has created an “extreme level of risk” in terms of identity theft and fraudulent claims by providers and imposters using the leaked data, Centre for Digital Business chief executive and former NDIS technology authority head Marie Johnson said.

“Data breaches create serious risk of harm – for people who are already suffering from these defective systems,” Ms Johnson told InnovationAus.com.

“This is like having the My Health Record on the dark web. The individual has very little power – and people’s identity would be compromised. There is no way that this can’t be the case. And people won’t know that it has happened. These are the most vulnerable at-risk people.”

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories