This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

National Disability Insurance Agency

Summary

The National Disability Insurance Agency (NDIA) detected a data breach on 28 November 2023 involving the alleged unauthorised disclosure of approximately 11,000 NDIS participant records by a staff member. The breach, which NDIS Minister Bill Shorten described as an insider threat rather than a cyber breach, exposed names, dates of birth, and residential addresses, with some records involving children under 18. The employee and one other person were arrested and later sentenced.

What Happened

An NDIA staff member allegedly provided approximately 11,000 participant records to two individuals who had been acting as NDIS providers. The breach was discovered on 28 November 2023, and the alleged perpetrators were arrested the same day.

The incident was classified as an insider threat—unauthorised disclosure by a trusted employee—rather than an external cyberattack or system compromise. The staff member allegedly accessed participant information through their legitimate work access and provided it to external parties without authorisation.

Impact on Individuals

The leaked data included names, dates of birth, gender, and full residential addresses of NDIS participants and related parties. In a small number of cases, further details were disclosed beyond these core data types.

Some individuals caught up in the breach were under 18 years of age at the time, making them particularly vulnerable. The NDIA found difficulty contacting some individuals who were minors when they or their nominees engaged with the scheme, complicating notification efforts.

With approximately 11,000 records exposed, the breach represented a significant compromise of personal information for vulnerable Australians relying on disability support services.

Organisational Response

The NDIA acted swiftly, with arrests occurring on the same day the breach was detected. The agency worked with law enforcement to investigate and prosecute the alleged offenders.

The former NDIA staff member was sentenced in Parramatta District Court to an aggregate two-and-a-half years imprisonment to be served by way of an Intensive Corrections Order in the community, along with 300 hours of community service and a $4,000 fine.

The NDIA provided updates to affected participants and implemented measures to strengthen internal access controls and detect similar unauthorised disclosures.

Verification Source: View original statement