This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

National Disability Insurance Agency

Summary

The National Disability Insurance Agency (NDIA) disclosed in July 2023 that data belonging to 645 NDIS participants and prospective participants was compromised in the April 2023 ransomware attack on law firm HWL Ebsworth. The breach exposed highly sensitive information about people with disabilities, and the NDIA faced significant criticism for taking six weeks to notify affected participants after learning the data had been published on the dark web.

What Happened

This breach was part of the larger HWL Ebsworth ransomware attack that occurred in April 2023, when the ALPHV (BlackCat) ransomware group compromised the law firm's systems. HWL Ebsworth provided legal services to numerous government agencies, including the NDIA.

The National Disability Insurance Agency revealed that 645 participants' and prospective participants' information was included in the 1.1 terabytes of hacked HWL Ebsworth data posted on the dark web in June 2023. HWL Ebsworth notified the NDIA that NDIS participants' data was included in the leak on 10 June and provided the agency with a copy of the published data on 13 June. However, participants did not begin receiving notifications until around 25-27 July—approximately six weeks after the NDIA became aware of the breach.

Impact on Individuals

The breach affected 645 NDIS participants and prospective participants. The compromised data included personal information and potentially sensitive disability-related information contained in legal files and case records held by HWL Ebsworth.

People with disabilities are particularly vulnerable to the harms of data breaches. The exposure of disability information, medical details, and personal circumstances could lead to discrimination, targeted scams, or exploitation. The sensitive nature of NDIS participant data—which often includes detailed medical, financial, and support needs information—makes this breach particularly concerning.

People with Disability Australia (PWDA) expressed serious concerns about the breach, noting that participants were distressed by the exposure of their private information and the significant delay in being notified.

Organisational Response

The NDIA's response to the breach drew significant criticism, particularly regarding the six-week delay between learning that participant data had been published (13 June) and beginning to notify affected participants (around 25 July). This delay meant that sensitive information was publicly accessible on the dark web for an extended period before participants were informed and could take protective measures.

The Office of the Australian Information Commissioner (OAIC) is investigating a complaint filed by the National Justice Project regarding the handling of the breach and the notification delays.

The National Justice Project is representing 12 NDIS participants in a class action against HWL Ebsworth following the ransomware attack. The class action alleges that the law firm failed to adequately protect sensitive client information and did not respond appropriately to the breach.

Verification Source: View original statement