The National Disability Insurance Agency (NDIA) has revealed that 645 participants’ and prospective participants’ information was included in the 1.1 TB of hacked HWL Ebsworth (HWLE) data posted on the dark web in June.
The agency first revealed on July 25 that some personal client information was released in the attack on the law firm, which represents NDIA against participants’ appeals of decisions on their plans or refusals of applications for the National Disability Insurance Scheme (NDIS).
Last week, the agency also revealed the number of victims.
“Based on the data we reviewed from HWLE, we identified that 645 participants were impacted,” NDIA chief counsel Matt Swainson told senate estimates [pdf].
He added “It almost wholly related to participants or prospective participants”.
“We also had access matters – who were involved inAdministrative Appeals Tribunal (AAT) matters with the agency.
“HWLE were engaged by the agency in those matters.”
HWL Ebsworth notified NDIA that NDIS participants’ data was included in the leak on June 10, and provided the agency with a copy of the published data on June 13.
“We commenced notifying those participants about July 25 or 27,” Swainson said.
Liberal senator Hollie Hughes said that she was “concerned” by the amount of time that it took to notify the affected participants.
“It is six or seven weeks. From June 13 when the data was known to July 25 is six weeks before participants were starting to be notified,” she said.
Swainson said that after receiving the copy of the leaked data from HWL Ebsworth, a “fairly substantial manual process” was required to confirm which participants were affected and a considered approach was taken to how NDIA communicated the breach to different participants based on their accessibility needs.
“We took frontline staff offline to manually go through those documents to identify those participants who were impacted and whose data was impacted,” he said.
“Once we had that list, we worked through with case managers and agency staff members the most appropriate notification process for each of those affected participants…We tailored the communication to their accessibility needs.”
Swainson said that while Home Affairs was coordinating a whole-of-government response to support the 65 government agencies and departments impacted by the hack, NDIA was taking its own additional measures to protect affected participants from scams and identify theft.
“In terms of what the agency specifically did, we put in place a range of measures…We commenced active monitoring of emails inbound and outbound to put in place fraud detection measures.
“We added participants onto a fraud watch list to make sure there was no unusual activity that might have been going on with those participants.”
Since the leak, NDIA has hardened its own security and also reviewed the security measures of other law firms that it engages, he added.
“We updated our privacy management plan in July this year. We also, throughout July, had individual meetings with all other law firms that were engaged by the agency and the AAT to ask them what additional cyber security measures they had put in place,” he said.
“They are external legal firms engaged by the agency but on the Australian whole-of-government panel.
“Firms are doing additional training. I think one firm engaged hackers to test their systems. There was a range of things that other firms were doing to give us that assurance.”