Newly appointed Minister for the National Disability Insurance Scheme (NDIS) Bill Shorten faces a trial by fire after revelations that a core NDIS software provider was hacked last month, with “a large volume” of personal and health information compromised.

Sydney-based software firm CTARS – which offers a cloud-based client management system for NDIS, disability services, out of home care, and children’s services – revealed this week that “an unauthorised party had gained access to our systems” on the evening of 15 May.

The offender claimed to have taken “a large volume of data” and, six days later, posted a sample of that data – which includes personal information about customers, their clients and carers – on a deep-web forum.

“Due to the very large volume of information held by CTARS and the very lengthy time it would take to review in detail,” the company said, it is “unable to confirm exactly what personal information… was compromised.”

“To be extra careful, we are treating any information held in our database as being compromised.”

CTARS is used by NDIS providers to record information about program participants, their individual care needs, and their progress over time – meaning, the company said, that “personal, health, and other sensitive information about [NDIS clients] is stored in CTARS and accessible to your care provider.”

The Office of the Australian Information Commissioner (OAIC) and Australian Cyber Security Centre (ACSC) have been notified, with external cyber security experts and identity-fraud support organisation IDCARE engaged to support those affected.

The breach was no surprise for ADAPT senior research analyst Shane Hill, who noted that “social support systems relied on by Australians remain complex.”

“Agency staff and citizens are trying to manage and navigate a complex web of digital and physical journeys that don’t interact securely and efficiently,” he said.

“Vast amounts of sensitive data kept in any one place inevitably creates a honey-pot for attackers, and the unfortunate reality is that while most organisations are good at measuring how fast they respond to an incident, the ‘identification and prevention’ stage of a security breach is still lacking.”

“A struggle to communicate the value of cyber to the CEO, CFO, and the Board persists, but a crisis like this presents the opportunity for CISOs to clearly show company decision-makers the reputational and financial cost of a breach without the need to get technical."

Heading off identity fraud

The compromise comes after a long-running campaign by Shorten, who has repeatedly alleged that the NDIS, which costs the federal government $33.9 billion per year, has been starved of resources and was being compromised by the Liberal Government’s “war of attrition against advocates”.

During a National Press Club address last year, then-Shadow Minister for the NDIS Shorten warned that “the NDIS is being poorly run, it is under attack and Australians with disability are suffering.”

“Those currently in charge of the scheme see you as numbers on a page, data in a system.”

Health service providers have long been the most frequent targets of cybercriminal activity, with the OAIC reporting that the sector comprised 18 per cent of all breaches – 83 separate incidents – during the second half of 2021.

Malicious or criminal attacks were responsible for 47 per cent of those breaches, with human error equally to blame.

The OAIC recorded 396 data breaches involving contact information and 185 involving identity information during the six-month period, while 120 incidents involved the theft of health information.

The depth and breadth of personal information held by NDIS providers makes the breach potentially significant, particularly as a potential vector for identity theft.

The OAIC recorded 65 cases of impersonation attacks during 2021 alone, with stolen credentials used to perpetrate a broad range of cyber crimes that have left victims in financial ruin.

Improving support for victims has been a priority for organisations like the NSW Government, which last month launched a ‘one-stop shop’ to simplify the process of recovering compromised credentials for victims of identity fraud schemes that cost Australians millions of dollars per year.

Ensuring data security will be crucial as the health system continues to embrace digital transformation, with $107.2m invested into healthcare modernisation in the recent Budget.

This, the Department of Health recently noted, includes investments to “safeguard national health data critical to informing the Government’s Long-Term National Health Plan and improving the health and wellbeing of all Australians.”