HUNTER disability service provider Lifestyle Solutions has apologised for a data hack that included personal identifying information of the organisation's current and former employees.
Lifestyle Solutions says it took action as soon as it recognised the breach in April, but affected individuals have told the Newcastle Herald they were not told until late August, some four months after the hack.
Data hacks have made national news in recent days with the cyber attack on telco Optus, which went public on September 22 before confirming that 9.8 million customer records had been "exposed", with the latest figures, yesterday, indicating that more than 2.1 million accounts were "at risk of identity fraud".
In other news
- Bankruptcy for ex-con linked to $5m Harvest Homes collapse
- Family faces 'soul-shattering' rebuild after Kurri Kurri restaurant fire damaged their home
- West Best Bloc Fest hits the right notes
- Forget that family trip, potential sixth RBA rate rise is smashing holiday dreams
The Lifestyle Solutions hack comes as the organisation prepares for a merger with a Tasmanian-based provider, Possability, due to proceed from this month.
A Lifestyle Solutions spokesperson said the organisation "sincerely apologises that this cyber event occurred and for any concern or inconvenience it has caused for the affected individuals, our clients, and staff".
"The identity of the third party who gained unauthorised access remains unknown," the Lifestyle Solutions spokesperson said.
Emails confirm the data breached included bank account details, tax file declarations, superannuation details, drivers' licences, educational qualifications and signatures.
The Herald was told that at least one buyer of a second-hand computer had rung Lifestyle Solutions to say the machine they bought still had the disability organisation's software on it.
Responding, the company spokesperson said "our forensic IT investigation revealed no evidence that any second-hand Lifestyle Solutions computers were involved in the unauthorised access".
They said Lifestyle Solutions did not resell its computers "as a general rule".
One person affected by the Lifestyle Solutions hack said yesterday that the delay in telling those affected had added substantially to the fears they held that they would become victims of financial fraud.
"Lifestyle Solutions has made all the right noises about saying they care for confidentiality and so on, but when you look at how they have handled this, it doesn't add up," the person, who the Herald has agreed not to identify, said.
The affected individual said they had also been caught in the Optus hack and had done everything possible to protect their information by various methods including changing passwords.
They had gone to Service NSW at Wallsend for new driver's licence number after the Lifestyle Solutions hack but were told it would not be done unless they were already a fraud victim.
"I'm trying to stop myself becoming the victim of fraud, but they don't make it easy," the person said.
A government response yesterday did not clarify the Wallsend advice but said anyone who believed they had been "the subject of identity theft or fraud should apply for a request for a new driver licence number".
The Lifestyle Solutions spokesperson said the Office of the Australian Information Commissioner and the Australian Cyber Security Centre had been notified of the breach and "we have continued to liaise with them in relation to the event".
"Upon discovery of the cyber event, we took immediate action to deactivate our affected systems, secure our IT environment, and engage leading external forensic IT and cyber security expert advisers to assist us in responding to the event, which included conducting a full investigation into what happened," the Lifestyle Solutions spokesperson said.
Asked about the time it took to tell those affected, Lifestyle Solutions said: "Regarding notification to affected individuals, it was necessary for us to carefully analyse the potentially affected dataset to understand exactly what information may have been affected and who it belonged to so that our notification to affected individuals was accurate and did not cause any undue alarm or distress.
"This type of detailed analysis takes time, and we have been mindful to ensure our process and notification was as thorough and accurate as possible."
Emails show Lifestyle Solutions telling those affected it had "no reason to believe or evidence to suggest that data has been or will be misused by the third party" that obtained the information.
But one person affected said that on the details Lifestyle Solutions had provided, there was no reason to believe the information would not be misused.
"Otherwise, why take it?" the impacted individual said.
The Office of the Australian Information Commissioner confirmed it had been notified of the incident by Lifestyle Solutions, but said confidentiality requirements meant it could only give limited responses.
The office said it expected any organisation covered by the Privacy Act and responding to a data breach involving personal information to act quickly and to notify those affected "as soon as possible".
WHAT DO YOU THINK? We've made it a whole lot easier for you to have your say. Our new comment platform requires only one log-in to access articles and to join the discussion on the Newcastle Herald website. Find out how to register so you can enjoy civil, friendly and engaging discussions. Sign up for a subscription here.
