Services Australia has disclosed a privacy incident it detected last month, which led to the halting of the printing of pensioner concession cards.
In a statement to Cyber Daily, Services Australia confirmed that over 100 customers received the wrong card, resulting in card data being shared with the wrong people.
“Services Australia is aware that around 140 customers received an incorrect pensioner concession card as the result of a printing error. The issue has been resolved, and printing of these cards has resumed,” said Services Australia general manager Hank Jongen.
You’re out of free articles for this month
To continue reading the rest of this article, please log in.
“We take the protection of customer information seriously, and we’re committed to supporting those impacted. We have contacted the Office of the Australian Information Commissioner and will continue to work with them on this matter.
“We ask anyone who thinks they may have been affected to call us or visit their local Services Australia service centre so we can help them.”
Services Australia said that when it discovered the issue in May, it instructed the third party it uses for printing to pause production so that an investigation could be launched and to prevent further cards being issued incorrectly.
“No physical cards were issued while production was paused. Digital versions of pensioner concession cards were not impacted and continued to be issued,” Jongen said.
“We’re working to ensure those impacted receive the correct concession card as quickly as possible.”
The privacy issue comes just as Services Australia’s Centrelink agency was listed online by a threat actor claiming a cyber attack. However, Centrelink denied the incident.
As detected by threat researcher Dark Web Informer, the threat actor 2019 listed Centrelink on a cyber crime forum last week.
Based on the listing and the researcher’s findings, the data was allegedly sourced from Centrelink and seems to be related to Centrelink’s Advice of Death form, which is used to notify the agency of a person’s death so that payments can be adjusted and support for the surviving family determined.
According to the post, alleged stolen data includes the full names and dates of birth and death of deceased individuals, Medicare card numbers, Centrelink reference numbers, child support reference numbers, home addresses, Aboriginal/Torres Strait Islander descent status, relationship status, hospital addresses and details, next-of-kin details including names, phone numbers and addresses, funeral director and business details, executor/admin of estate details, and the full names, signatures and declaration dates of Advice of Death notifiers.
The threat actor 2019 claims that over 2,100 records were impacted in the alleged incident.
Responding to Cyber Daily’s request for comment, Services Australia, of which Centrelink is a part, said the agency does not comment on specific cyber security operations, but confirmed that its systems were not breached.
“Services Australia takes the protection of personal information very seriously. Our platforms and systems remain secure and have not been compromised,” a Services Australia spokesperson said.
Want to see more stories from trusted news sources?
Make Cyber Daily a preferred news source on Google.
Daniel Croft
Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.