What happened
In May 2022 CTARS, a cloud client-management software provider used across the disability and NDIS sector, was breached and a sample of data was posted to a dark-web forum [ctars-infoage], [ctars-itnews]. Because CTARS could not confirm the exact scope, it treated all information in the affected database as potentially compromised [ctars-itnews]. Reporting described the exposed data as including names, dates of birth, addresses, phone numbers, emails, usernames and passwords, and genders, together with sensitive health and disability information โ conditions, treatments and care needs โ and, per media accounts, Medicare/pensioner card numbers and tax file numbers [ctars-infoage], [ctars-itnews].
Timeline
- 2022-05 โ Unauthorised access occurred around mid-May; a data sample was posted online days later [ctars-itnews].
- 2022-05 โ Publicly disclosed at the end of May; CTARS notified the OAIC and the ACSC and engaged IDCARE to support affected people [ctars-infoage].
Current status
Disclosed. CTARS notified the Office of the Australian Information Commissioner and the Australian Cyber Security Centre [ctars-infoage]. Have I Been Pwned indexed roughly 12,000 unique email addresses from the incident, but that count mixes provider staff with NDIS participants and is not an official measure of participants affected โ so no figure is asserted here [ctars-hibp].
Why it matters
Disability-care records are among the most sensitive personal data held anywhere, and a breach of the software that many providers rely on can expose participants across dozens of unrelated organisations at once.