Australian Information Security Incident Reported: September 11 2018
A vulnerability in the service portal for the National Disability Insurance Scheme has allowed a number of providers to obtain personally identifiable information of users and steal money.
The flaw allowed any user or registered provider to gain access to random support pages for users by guessing a nine-digit plan number. Companies could then bill these users and receive payment right away.
In a statement, the National Disability Insurance Agency, the organisation running the scheme, said its Fraud Taskforce had identified “a small number of providers who may be seeking to exploit the NDIS”.