CTARS, the cloud-based client management system used by National Disability Insurance Scheme (NDIS) service providers, has fallen victim to a security breach, leaving a “large volume” of sensitive data compromised.
Posting on the company website, CTARS revealed that an unauthorised third party gained access to its systems on May 15. A couple of days later, on May 21, the third party claimed it had stolen a “a large volume of data” and that it had published a sample on a forum in the “deep web.”
“Although we cannot confirm the details of all the data in the time available, to be extra careful we are treating any information held in our database as being compromised,” CTARS wrote on a page dedicated to the breach. “This data includes documents containing personal information relating to our customers and their clients and carers.”
CTARS went on to explain that it has contacted clients impacted by the breach, namely NDIS and other disability service providers who make use of its platform to store sensitive information on recipients and their staff carers.
While CTARS said it won’t be able to confirm the exact scale of the breach and which specific details have been compromised, it warned NDIS participants to take precautionary steps in securing their personal information, including their Tax File Number (TFN) and their Medicare or pensioner card.
“If you are concerned about the potential misuse of your personal information, we have arranged free support from IDCARE, Australia’s national identity and cybersecurity community support service,” the company said.
Speaking with consumer advocacy group CHOICE, a representative from the National Disability Insurance Agency (NDIA) clarified that the federal agency’s own systems were untouched by the breach, adding that “business decisions, including the use of software and data storage, are a matter for individual organisations.” A separate statement addressed to VICE said that the NDIA has been working with CTARS following the hack as it takes the protection of participant data “extremely seriously.”
Kate Bower, a consumer data advocate at CHOICE, said that CTARS appear to have done “everything it was legally required to do” regarding the notification of those affected by the breach. The problem, she said, is that the laws requiring remedies for people affected by data breaches and cybersecurity incidents need to be stronger.
“There is literally nothing that people can do to seek redress and we believe that needs to change," Bower said.
