A security incident recently experienced by Ability WA may have resulted in unauthorised access to personal information Ability WA holds about its employees and customers.
This notification applies to Ability WA customers. Please see the employee notification here if you are a current or former employee of Ability WA.
On 5 March 2022, Ability WA experienced a ransomware attack. Upon becoming aware of the incident, Ability WA immediately engaged its IT provider to recover its systems and a forensic investigator to investigate the cause and scope of the incident.
The investigation discovered that an unknown person gained unauthorised access to Ability WA's systems. During this time, the cybercriminal accessed parts of Ability WA's network. The cybercriminal copied a large quantity of data from the affected systems before causing a system outage by executing the ransomware.
Ability WA was able to recover its systems and has since implemented numerous technical and practical measures to improve the security of its systems and ensure that this kind of incident does not reoccur in the future.
Ability WA has continually monitored the dark web for any sign of the data stolen by the cybercriminal since the incident. There is no evidence that any of the stolen data has been published.
Ability WA has reported the incident to the Office of the Australian Information Commissioner. We will continue to liaise with that authority regarding the incident and ensure that all of our statutory obligations are met.
What data was compromised?
The data stolen by the cybercriminal included a range of documents about the services provided by Ability WA to its customers. In some cases, these documents may expressly or impliedly indicate that a customer has a particular disability. In other cases, they may contain details about the customer's disability or general health. These documents vary from customer to customer but include:
- medical records relating to both the physical and psychological health of customers;
- records of occupational therapy, speech pathology and physiotherapy undertaken by customers;
- records of mobility and other equipment supplied to customers;
- records regarding customers' dietary requirements;
- records regarding customers' accommodation;
- records of consultancy programs and education undertaken by customers;
- reports and notes from social workers;
- profiles, plans and reports relating to programs administered by Ability WA;
- application forms, referral forms, consent forms and checklists relating to the services provided by Ability WA;
- plans and agreements regarding customers' participation in the National Disability Insurance Scheme;
- Centrelink forms for customers (pre-National Disability Insurance Scheme);
- correspondence between Ability WA and customers, customers' families, and third parties such as schools and medical providers; and
- copies of court and tribunal orders and administrative decisions.
We appreciate that much of this information is sensitive and that such information may have been subject to unauthorised access may be distressing for you.
Please note that Ability WA has continually monitored the dark web for any sign of the stolen data since the incident. There is no evidence that the cybercriminal has published or misused any of this information.
Nevertheless, we sincerely regret and apologise for any distress this incident may have caused you. If you experience distress, you should consider consulting a support service or your GP.
It is also possible that the stolen data contains copies or details of identification documents, Government-issued identifiers and/or payment and bank account details for some customers. We have engaged a specialist provider to search the stolen data to identify any such details and the individuals to whom they relate. Once that process is complete, we will contact those individuals directly with further information and advice.
Steps you can take to protect against potential data misuse
To date, there is no evidence that the cybercriminal has published or misused any of the stolen data. However, it is possible that someone may use the data to impersonate Ability WA or another disability or health service provider to trick you into disclosing other personal information or access credentials. This is called "social engineering" and can be a precursor to identity fraud.
To protect yourself against social engineering:
- be wary of anyone contacting you who purports to be from Ability WA or another entity and requests personal information or access credentials from you, even if they appear to know some details about you already;
- do not respond to unsolicited email or SMS messages asking for personal information; and
- be careful of unsolicited telephone calls which purport to be from a business or government authority. If you think the call is genuine, hang up and call the business or authority back on their public telephone number.
Additional information on these types of fraud and how to avoid them are available at the Australian Cyber Security Centre website.
Additional guidance about steps you can take to protect yourself can be found on the Office of the Australian Information Commissioner's website.
If you still have questions
Ability WA takes the security of your information very seriously. We apologise for any inconvenience or distress this incident may cause you. If you would like to discuss the situation with us further or if you have any questions about any aspect of this email, please do not hesitate to contact our Customer Contact Team on 1300 106 106 or email us at email@example.com.