18 June 2022

Hackers Steal a ‘Very Large’ Batch of Private Data from Australia’s Disability Scheme

Hackers Steal a ‘Very Large’ Batch of Private Data from Australia’s Disability Scheme


Medicare and tax file numbers are publicised after the scheme’s client management platform was breached last month.


Hackers have obtained and published part of a “very large” batch of medical records and other sensitive information belonging to participants of Australia’s National Disability Insurance Scheme after breaching the scheme’s client management software last month.

The platform that fell victim to the breach is an Australian software provider called CTARS, and provides client management services to NDIS providers as well as the people living with disabilities they support. 

A spokesperson for the company told VICE that staff became aware of the breach on May 15, before a sample of the data was bragged about on a ‘deep web’ forum.

As it stands, the breach has only affected NDIS participants whose providers use CTARS—not all participants of the scheme—who the company says can expect to be notified if their data has been compromised.

“In the interests of the privacy of our customers’ clients and staff, and to reduce the risk of attempts by scammers to target our customers, we are not releasing details of the number of people who may have been impacted,” the spokesman said.


The scope of the details lifted from the platform have been described by some privacy advocates as “galling”. Among them are understood to be Medicare numbers, Tax File Numbers and “more than enough” to commit credit card fraud. So far, attempts to offer help to those impacted have been limited.

 In the short term, though, the team at CTARS say they have engaged external cyber-security and forensic specialists to contain the hack.

The National Disability Insurance Agency, the federal agency tasked with administering Australia’s disability scheme, told VICE through a spokesperson that it has been working with CTARS since the hack and that it takes the protection of participant data and information security “extremely seriously”.

In response to questions about what the NDIA was doing to offer support and recourse to those who think they might have been affected, the agency deferred to the CTARS website, which has set up a community service support centre courtesy of Australia’s national identity and cybersecurity community support service.

Source: motherboard

No comments:

Post a Comment