A vulnerability in the service portal for the National Disability Insurance Scheme has allowed a number of providers to obtain personally identifiable information of users and steal money.
A report in The Australian on Friday said the agency in charge was investigating who had been involved and planned to try and recover the money stolen. The NDIS is managed by the Department of Human Services.
The flaw allowed any user or registered provider to gain access to random support pages for users by guessing a nine-digit plan number. Companies could then bill these users and receive payment right away.
In a statement , the National Disability Insurance Agency, the organisation running the scheme, said its Fraud Taskforce had identified "a small number of providers who may be seeking to exploit the NDIS".
"These providers are under investigation by the Taskforce," the NDIA said.
"As a result of these on-going investigations a number of providers have been blocked from accessing payments while suspicious claims are being investigated, to ensure participants are protected.
It said it had begun contacting the affected participants and would ensure that they were not out of pocket.
A day prior to that, the NDIA announced changes to the portal, requiring the participant NDIS number, participant date of birth and participant surname to search for any participant.
Commenting on the breach, Serkan Cetin, regional manager for APJ at identity and access management firm One Identity, said the Federal Government should be held to the same high standards to which private companies adhered "which is the protection of individuals’ information from any malicious attacker whether that be a threat external or internal".
"Looking at the incident that took place with the NDIS, the case presents itself an example of what an insider threat is. In this case, the insider is the NDIS provider, and the data breach could have been either accidental or malicious.
"NDIA have taken a good first approach here by altering the system to require three pieces of information to perform a search to help ensure that the provider is only able to retrieve the correct record, and prevent from further immediate breaches. Like all systems though, the system should be reviewed and tested against today's, and tomorrow's, threat vectors regularly, as the points of attack are constantly evolving."
Cetin said it was common for organisations to focus on external (outsider) threats, such as ensuring that their networks were secure and preventing malicious outsiders from obtaining sensitive information.
"However an aspect which can be overlooked is to the internal (insider) threat. This includes addressing the administrative access through to backend systems, and the end user access to the front ends, including how the data can be obtained from the systems and the authentication and authorisation methods," he said.
One way of enhancing security could be the implementation of multi-factor authentication.
"There are several reasons why organisations fail to adopt MFA, or any security technology for that matter," Cetin pointed out. "First, there’s the cost. MFA (and most security investments) cost money but don’t contribute to increasing revenue. When faced with a choice, many organisations choose first to invest in those areas that will generate revenue.
"Second, there’s user frustration. In order to offer security while limiting user frustration, organisations can look to implement 'risk-aware' security solutions where, if the user is logging in from the office during that day, there’s no need to request a second factor for authentication. But if that same user logs in from a previously unknown location, on a Sunday, that triggers some concern, and in that case a second authentication factor is requested. This increases overall security, without frustrating users."
LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACKAustralia is a cyber espionage hot spot.
As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.
It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.
In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.
Cyber security can no longer be ignored, in this white paper you’ll learn:
How does business security get breached?
What can it cost to get it wrong?
6 actionable tips
DOWNLOAD NOW!
10 SIMPLE TIPS TO PROTECT YOUR ORGANISATION FROM RANSOMWARERansomware attacks on businesses and institutions are now the most common type of malware breach, accounting for 39% of all IT security incidents, and they are still growing.
Criminal ransomware revenues are projected to reach $11.5B by 2019.
With a few simple policies and procedures, plus some cutting-edge endpoint countermeasures, you can effectively protect your business from the ransomware menace.
DOWNLOAD NOW!