November 2023 data breach: an update from the NDIA

This statement provides an update on a data breach that occurred in November 2023, and the NDIA's response to date. It does not relate to a new or different event.

Since the release of its statement on 28 November 2023, the NDIA has continued to investigate the data breach and to work alongside the Australian Federal Police, the NDIS Quality and Safeguards Commission and other relevant government agencies and law enforcement authorities to respond to this matter.

Why are we publishing this statement?

The NDIA has an obligation, under the Privacy Act 1998 (Privacy Act), Notifiable Data Breaches Scheme (NDB Scheme), to notify any individuals potentially impacted by this breach. The Agency has worked to do this, but has been unable to contact some individuals who, at the time of their or their nominee’s engagement with the Scheme, were under the age of 18.

These individuals are not NDIS participants, but may be either a former participant, related to a current NDIS participant or someone who had previously applied for access to the Scheme.
As previously communicated, the information of these individuals that was disclosed during the data breach involved the following details recorded in the NDIA's system, including: 

  • full name
  • date of birth
  • gender
  • address, including postcode.

We would also like to reassure everyone that this incident will not impact any participant's ability to receive services and that participants can continue to receive their disability supports in the usual way.

The NDIA is continuing to actively monitor the situation and investigate the breach. It should be noted there are active prosecutions before the courts in relation to this breach, following the Agency and Fraud Fusion Taskforce taking action against those allegedly responsible.

The NDIA recognises that this news may be distressing and concerning for participants, families, carers and supporters. We sincerely apologise for this.

What can you do?

If you suspect that you or someone you know falls within the category of persons identified above, we recommend you take, or advise the person you know to take, the following actions to help reduce the risk of harm associated with the unauthorised disclosure of personal information:

  • Stay alert to increased scam activity, particularly email and SMS or telephone phishing scams. Contact Scamwatch for information about how to recognise, avoid and report scams.
  • The NDIA will never ask participants or their representatives for personal details by SMS. Do not click on any suspicious links or provide your passwords or any personal information to anyone you do not know. Always refuse any unprompted request from an individual to access your computer even if they say they are from a credible organisation.
  • Consider changing your online account passwords. The Australian Cyber Security Centre has guides on good password practices. 
  • Enable multi-factor authentication for your accounts where possible. This means using extra checks to prove your identity.
  • Install up-to-date anti-virus software on any devices you use to access your online accounts.
  • Monitor your bank account transactions and check your credit report to see if it has any unauthorised loans or applications.
  • The Office of the Australian Information Commissioner has general information about how to respond following a data breach. It also has information on ways to protect your privacy. 

If you need further assistance, you can access support and services from IDCARE, Australia’s national identity and cyber support community service. IDCARE can provide tailored and specific advice based individual circumstances.

IDCARE have expert Case Managers who can work with you to address concerns about personal information risks and any instances where your information may have been misused. If you wish to speak with IDCARE, please complete their Get Help form on the IDCARE website  or call 1800 595 160 (Monday to Friday 9am-6pm AEDT excluding public holidays). IDCARE’s services are at no cost.

There is no need to contact us. However, if you wish to contact us about this incident, please contact us at 1300 216 807 (Monday to Friday, 9:00am to 6:00 pm AEDT) or [email protected].

Background

The NDIA released a statement on 28 November 2023 in relation to a detected data breach involving the alleged unauthorised disclosure of the personal details of some NDIS participants and related parties. Read the statement.