On 19 July 2022, we notified our customers about a recent security incident that involved the theft of data from Ability WA’s IT systems. A copy of that notification is available here.

As we mentioned in that notice, Ability WA engaged a specialist provider to search the stolen data to identify any identification documents, Government-issued identifiers or account details contained in the stolen data. As a result of that search, we have now identified some additional personal information held by Ability WA that may have been subject to unauthorised access as a result of the incident.

We have already sent email notifications to all affected individuals for whom we hold current contact details. Those notifications contain specific details about which of their personal information was affected. However, there are a number of affected individuals for whom we do not hold current contact details. As such, we are publishing this general notice.

What personal information was compromised?

The data stolen by the cybercriminal included records about the services provided by Ability WA to its customers. These records included the following personal information relating to some of our customers:

• copies of passports;
• copies of driver’s licences;
• copies of birth certificates;
• Medicare numbers;
• Centrelink customer reference numbers (“CRNs”);
• Jobseeker IDs;
• NDIS numbers;
• Tax File Numbers;
• copies of COVID-19 vaccination certificates; and
• BSB and bank account numbers.

The records also included a register of feedback provided to Ability WA by customers and members of the public. In some cases, the feedback may have included personal information (sometimes sensitive in nature) about the person providing the feedback or others.

Steps you can take to protect against potential misuse of your personal information

Ability WA has continually monitored the dark web for any sign of the stolen data since the incident, and to date there is no evidence that any of this data has been published or misused. Nevertheless, as this is a possibility, we wanted to let our customers know the steps they can take to protect themselves against any potential misuse of the above personal information.

Passport

Passport details can be used to commit identity fraud. This means that a fraudster could use those details to attempt to impersonate you to obtain a benefit or service. For example, they could attempt to open a bank account, obtain a credit card, redirect your mail or port your mobile phone.

To minimise this risk, it is important to remain vigilant for signs of identity fraud.   Click here for tips on how to protect yourself against identity fraud.

If you are concerned that your passport details may have been misused, you should contact the Australian Passport Office on 131 232 and explain that your passport details have been involved in a data breach. You can also report the matter to the police through ReportCyber.

Driver’s licence

Driver’s licence details can be used to commit identity fraud. This means that a fraudster could use those details to attempt to impersonate you to obtain a benefit or service. For example, they could attempt to open a bank account, obtain a credit card, redirect your mail or port your mobile phone.

To minimise this risk, it is important to remain vigilant for signs of identity fraud. Click here for tips on how to protect yourself against identity fraud.

If you are concerned that your driver’s licence details may have been misused, you should contact the relevant driver licensing agency in your State or Territory and explain that your driver’s licence details have been involved in a data breach. They will provide you with advice and assistance. You can also report the matter to the police through ReportCyber.

Birth certificate

Birth certificate details can be used to commit identity fraud. This means that a fraudster could use those details to attempt to impersonate you to obtain a benefit or service. For example, they could attempt to open a bank account, obtain a credit card, redirect your mail or port your mobile phone.

To minimise this risk, it is important to remain vigilant for signs of identity fraud. Click here for tips on how to protect yourself against identity fraud.

If you are concerned that your birth certificate details may have been misused, you should contact the register of births, deaths and marriages in your State or Territory and explain that your birth certificate details have been involved in a data breach. You can also report the matter to the police through ReportCyber.

Medicare number

Medicare details can be used to commit identity fraud. This means that a fraudster could use your Medicare number and other details to attempt to impersonate you to obtain benefits from Medicare or services from other businesses. For example, they could attempt to open a bank account, obtain a credit card, redirect your mail or port your mobile phone.

To protect you against this risk, Ability WA has already taken the step of notifying Services Australia that your Medicare number may have been involved in a data breach. Services Australia has placed additional security measures on your account, which aim to detect any fraudulent activity. There is nothing further you need to do; however, if you have any concerns, you can contact the Services Australia Scams and Identity Theft Helpdesk on 1800 941 126 or reportascam@servicesaustralia.gov.au.

It is also important to remain vigilant for signs of identity fraud. Click here for tips on how to protect yourself against identity fraud. If you believe that you are the victim of identity fraud, you can report the matter to the police through ReportCyber.

It is also possible that a fraudster may contact you pretending to be from Medicare or another business or government agency in an attempt to scam you or trick you into disclosing other personal information or access credentials. Click here for tips on how to protect yourself against social engineering.

COVID-19 vaccination certificate

Your COVID-19 vaccination certificate contains your Individual Healthcare Identifier (IHI), which could be used to impersonate you in an attempt to obtain government benefits. To protect you against this risk, Ability WA has already taken the step of notifying Services Australia that your IHI may have been involved in a data breach. Services Australia has placed additional security measures on your account, which aim to detect any fraudulent activity. There is nothing further you need to do; however, if you have any concerns, you can contact the Services Australia Scams and Identity Theft Helpdesk on 1800 941 126 or reportascam@servicesaustralia.gov.au.

It is also possible that a fraudster may contact you pretending to be from Services Australia or another business or government agency in an attempt to scam you or trick you into disclosing other personal information or access credentials. Click here for tips on how to protect yourself against social engineering.

Centrelink CRN

Your Centrelink CRN could be used to impersonate you in an attempt to obtain government benefits. To protect you against this risk, Ability WA has already taken the step of notifying Services Australia that your Centrelink CRN may have been involved in a data breach. Services Australia has placed additional security measures on your account, which aim to detect any fraudulent activity. There is nothing further you need to do; however, if you have any concerns, you can contact the Services Australia Scams and Identity Theft Helpdesk on 1800 941 126 or reportascam@servicesaustralia.gov.au.

It is also possible that a fraudster may contact you pretending to be from Centrelink, Services Australia or another business or government agency in an attempt to scam you or trick you into disclosing other personal information or access credentials. Click here for tips on how to protect yourself against social engineering. Services Australia’s website also has information about common scams and how to avoid them.

Jobseeker ID

Your Jobseeker ID could be used to impersonate you in an attempt to obtain government benefits. If you are concerned, you may wish to contact the Department of Employment and Workplace Relations fraud reporting hotline on (02) 6121 8900 or fraud@dewr.gov.au and explain that your Jobseeker ID has been involved in a data breach. They will provide advice and assistance.

It is also possible that a fraudster may contact you pretending to be from Centrelink, Services Australia or another business or government agency in an attempt to scam you or trick you into disclosing other personal information or access credentials. Click here for tips on how to protect yourself against social engineering. Services Australia’s website also has information about common scams and how to avoid them.

NDIS number

Your NDIS number could be used to impersonate you in an attempt to obtain benefits from the NDIS. If you are concerned, you may wish to contact the NDIS Fraud Reporting and Scams Helpline on 1800 650 717 or fraudreporting@ndis.gov.au and explain that your NDIS number has been involved in a data breach. They will apply protective measures on your NDIS account to prevent anyone impersonating you to obtain benefits from NDIS.

It is also possible that a fraudster may contact you pretending to be from NDIS or another business or government agency in an attempt to scam you or trick you into disclosing other personal information or access credentials. Click here for tips on how to protect yourself against social engineering. NDIS’s website also has information about common scams and how to avoid them.

Tax file number

Your tax file number could be used to impersonate you in an attempt to lodge fraudulent tax returns and claim tax refunds. To protect you against this risk, Ability WA has already taken the step of notifying the Australian Taxation Office that your tax file number may have been involved in a data breach. The Australian Taxation Office has placed additional security measures on your account, which aim to detect any fraudulent activity. There is nothing further you need to do; however, if you have any concerns, you can contact the Australian Taxation Office Client Identity Support Centre on 1800 467 033. More information is available on the ATO's website.

It is also possible that a fraudster may contact you pretending to be from the Australian Taxation Office or another business or government agency in an attempt to scam you or trick you into disclosing other personal information or access credentials. Click here for tips on how to protect yourself against social engineering.

Bank account details

Simply knowing your bank account number does not allow an unauthorised person to access your account. However, it is possible that a fraudster may contact you pretending to be from your bank or another business or government agency in an attempt to scam you or trick you into providing more personal information or access credentials to your bank account. Click here for tips on how to protect yourself against social engineering.

Feedback register

The records also included a register of feedback provided to Ability WA by customers and members of the public. In some cases, the feedback may have included personal information (sometimes sensitive in nature) about the person providing the feedback or others.

We acknowledge that the fact that such information may have been subject to unauthorised access may be distressing, and sincerely regret and apologise for any distress that this incident may have caused.

Additional information

Additional guidance on the steps you can take to protect yourself following a data breach can be found at the Office of the Australian Information Commissioner's website.

If you still have questions

Ability WA takes the security of your information very seriously. We apologise for any inconvenience or distress this incident may cause you. If you would like to discuss the situation with us further or if you have any questions about any aspect of this email, please do not hesitate to contact our Customer Contact Team on 1300 106 106 or email us at privacy@abilitywa.com.au.