Fears child data stolen in Anglicare cyber attack
Cyber criminals are holding major care provider Anglicare to ransom with fears highly sensitive information about NSW’s most vulnerable children has been stolen in a database hack.
Cyber criminals are holding major care provider Anglicare to ransom with fears highly sensitive information about NSW’s most vulnerable children has been stolen in a database hack.
The non-for-profit provider of foster care and aged care services was targeted in a ransomware attack on August 31.
More than 17 gigabytes of data from Anglicare servers in Sydney was sent to computers in New Zealand with the thieves demanding payment for its return.
One source said the data could likely include psychologists reports, records of children whose parents are incarcerated for violent offences, parenting capacity assessments and school records — which NSW Family and Community Services shares with Anglicare as a service provider.
Anglicare said it would not negotiate with the cyber thieves.
“There has been a demand for a ransom as you might expect with a ransomware attack,” a spokesman said.
“Anglicare’s incident response plan seeks to avoid entertaining engaging with cyber criminals.”
NSW Police said it was conducting inquiries. Anglicare has also notified the Australian Signals Directorate, the top-secret agency responsible for national cyber security.
Anglicare provides child protection, housing and counselling services to FACS.
It said there was “no current evidence that data has been stolen”.
“We have identified 17GB of data transmission to a remote location and this forms part of the forensic investigation in progress; it is therefore premature to speculate on the impact.”
“In the event that we determine personal information has, or is likely to have been, accessed, we will inform affected individuals in accordance with our commitment to privacy and other obligations to clients, staff and other stakeholders.
“Anglicare took immediate steps to isolate and block the unauthorised access to our systems.”
But FACS chief information security officer Matthew Fedele-Sirotich issued a dire warning to staff about the fallout.
“We should assume that the threat actor has a substantial amount of data,” Mr Fedele-Sirotich said in a September 3 email to senior bureaucrats.
“It could be client data, it could be data we have shared with them. This could be released into the public arena.”
The email said the majority of Anglicare servers have been affected, including every employee’s username and password.
Anglicare claims the ransomware impacted Anglicare Sydney’s systems and not government systems.
“Very limited analysis has led them to believe that they were exploited via a partners account,” Mr Fedele-Sirotich said.
“Given they have yet to undertake forensics to properly understand records etc, we should consider their network to still be at threat if not still breached.”
Public Service Association general secretary Stewart Little said: “The NSW Government needs to do an urgent review of all providers of cyber security systems but ultimately it needs to bring this data back into its control and end this failed experiment with privatised essential services.”
NSW Police said they are “aware of the matter and are conducting inquiries” while the company also notified the Australian Signals Directorate.
A NSW government spokesman said it was not aware of any impacts on government systems or services from the cyber attack.
“Cyber Security NSW, together with DCJ, is working closely with Anglicare to assist with their investigation and response to the incident,” he said.
Former AFP officer and cyber security expert Nigel Phair said most private organisations do not have the same level of security as government departments — which are required to comply with the ACSC Essential Eight mitigations.
Anglicare said it is already underway in implementing the Essential Eight.
“Governments outsource to cut costs and one of the places companies cut costs is cyber security,” Mr Phair, director of UNSW Canberra Cyber, said.
“The figure of 17GB is huge; this may impact thousands of people.”
In 2018 FACS database ChildStory was slammed for glitches and security concerns.