The government will announce a wave of security measures this week after the cyberattack that exposed the personal information of millions of Optus customers.
Government action for Optus customers was swift, but there’s been no justice for National Disability Insurance Scheme (NDIS) participants, nor aged care home residents and their carers. In May, data from CTARS — a cloud-based client management system for NDIS and out-of-home care services — was hacked, with data samples posted on the deep web.
The information is highly sensitive, including health records such as diagnoses; treatment and recovery of medical conditions; and Medicare, pensioner card and tax file numbers. The data could also include information about mental health, suicide ideation, incontinence and how a disability is progressing.
What happened?
Optus revealed that just under 10 million customers were affected by its breach, but CTARS hasn’t said how many NDIS participants were affected — saying instead that a “large volume” of sensitive data was exposed. Security experts estimate about 12,000 email addresses were compromised, most of which belonged to staff. Client data may be linked to the emails.
“In the interests of the privacy of our customers’ clients and staff, and to reduce the risk of attempts by scammers to target our customers, we are not releasing details of the number of people who may have been impacted,” CTARS told Crikey.
Not all NDIS participants were affected, just those contracted with a company that uses CTARS. The company also works with children’s services, disability services, and foster and out-of-home care. Centennial Lawyers is considering a class action against CTARS.
The company engaged external cybersecurity and forensic specialists to contain and investigate the breach and implement additional security measures, and engaged IDCARE, Australia’s national identity and community support service, to support people concerned about their information security.
The breach was also reported to the National Disability Insurance Agency (NDIA), the Office of the Australian Information Commissioner (OAIC), the Australian Cyber Security Centre (ACSC), police, Services Australia and the Australian Taxation Office.
CTARS put out a statement, but it was up to the individual service providers to tell affected clients and staff. CEO of the National Justice Project and human rights lawyer George Newhouse has questioned whether those affected had been properly notified. Some service providers sent out emails to affected clients, but neither CTARS nor the NDIS confirmed how many organisations were involved.
“[This] is a much more serious breach than Optus in terms of personal impact — and yet no one is speaking up for some of the most vulnerable people in this country and protecting their security and privacy. This must change,” Newhouse said.
“Although it impacts many more people, the content of the data obtained in the Optus data breach is much more benign than personal medical records obtained when CTARS was hacked. I just hope that this government is listening.”
How can hackers use the information?
Electronic Frontiers Australia chair Justin Warren told Crikey the way hacked information could be used ranged from the benign to the abusive.
“The worst thing that can happen is an abusive ex-partner can discover where you live … but for most people, the most likely thing is boring old fraud,” he said.
“Personal information is quite profitable. They can either sell it to other criminal gangs, or they can use points of ID to fraudulently pretend to be you for financial gain … such as using 100 points of ID to take out a bank loan or credit card in your name … or transfer superannuation amounts from one fund to another.”
For medical data, breaches can become even muddier, Warren said. Insurance companies could use medical data to train algorithms to control risk and decide whether to deny coverage, and it wouldn’t be obvious what data they used. On an individual level, breached medical and mental health data can also be used for personal blackmail.
Is the government responding?
The Office of the Australian Information Commissioner was notified of CTARS’ data breach, although Crikey understands no investigation or report was compiled and no regulatory action was taken. The office has had its funding slashed in recent years to just $8.71 million in 2022-23, compared with $23.2 million in 2020-21.
Home Affairs Minister Clare O’Neil said there would be new security measures announced this week after the Optus breach. The details have yet to be released, but one change would be to inform banks and other institutions faster when a data breach occurs at a third-party company to ensure personal data cannot be used to access accounts.
But Warren is concerned this might violate people’s privacy a second time, “only faster”. Instead, he said, the Privacy Act needed to be made more robust.
“The Privacy Act allows people to collect far too much information they don’t need,” he said. “You should only be able to collect and keep information that you have a legitimate need to both collect in the first place and then hang on to.”
“You cannot lose control of what you don’t have.”
He also supports calls for the development of a statutory tort of serious invasion of privacy, enabling people to take direct legal action, and said there needed to be greater consequences for improper data storage.
The NDIA told Crikey the breach wasn’t of NDIS systems. “The NDIA has made inquiries with CTARS about the handling of the breach,” it said — but didn’t elaborate. “The agency takes the protection of participant data and information security extremely seriously.”
O’Neil’s office has been contacted for comment.
