NDIS - Mass Email Breach (Exposure) : using government ID for social media/logins

The request was refused by National Disability Insurance Agency.

Dear National Disability Insurance Agency,

It has been reported that "More than 100,000 suspected government logins found in massive breach" https://www.afr.com/technology/more-than...

Further stating that :“This is the tip of the iceberg from what appears to be a massive data breach of government credentials, Australia-wide, by a third party." Lastly, noting that "usernames and passwords had been collected from people who had used government logins to access websites around the internet. For example, hackers may have stolen the credentials of an Australian government employee who used their departmental email to log in to another service like Netflix or Twitter. That means thousands of the usernames and passwords found in the database appear to be government email addresses"

So, my questions are:

1. Has the NDIA, staff, contractors or anyone with an NDIS/NDIA government ID been impacted, breached or list on this leak?
2. Is it against Commonwealth Government and NDIA policy and procedure to use government email ID or profiles for personal, social and non-government sign up, subscriptions or use?
3. Has anyone at the NDIA/NDIS every used government emails to sign up to or access social media services or channels such as LinkedIn, Twitter, Hootsuite, etc? If so, how many, since 2013?
4. Approximately, now many NDIA/NDIS email ID are used to sign into or access third-party systems, software or services? e.g. Salesforce, Atlassian, Microsoft, etc

Yours faithfully,


Thank you for your email to the National Disability Insurance Agency
(NDIA) Freedom of Information (FOI) team.      


If your email relates to an FOI application made under the
Commonwealth Freedom of Information Act 1982 (FOI Act), we will respond to
you as soon as practicable.     


This email address is for applications under the FOI Act only. Our team is
unable to respond to non-FOI related enquiries sent to this email address.
Any correspondence received that is not related to an FOI request will not
be responded to or forwarded.    


Please be aware: due to a high volume of requests, our ability to respond
to you in a timely manner has been affected. However, we will action your
request as soon as possible. In addition, we are currently experiencing
delays in processing FOI requests. As a result, whilst we will endeavour
to process your matter within the [1]legislative deadlines, we may need to
ask for an extension of time. We appreciate your understanding if this is


The NDIA has a number of other ways to access the documents and
information that we hold. Please visit our [2]Access to
Information webpage to find out more about accessing information

o The [3]myplace portal for participants   
o The [4]myplace portal for providers   
o The [5]Participant Information Access (PIA) scheme   
o The [6]Information Publication Scheme (IPS)  

You can also request data and statistics outside of the FOI Act. Please
visit our [7]Data and insights webpage page for further information. 

Information about how to make an FOI request can be found on our
website: [8]Freedom of Information | NDIS. The FOI Act sets out the
criteria that must be met for a request to be considered. The request you
send us must:    

o be in writing    
o state that the request is an application for the purposes of the FOI
o provide enough information to allow us to identify the documents you
are requesting    
o provide an address for reply, either electronic or hard copy.     

If you have questions about making an FOI request, or to enquire about a
current FOI request, please email us with your preferred contact method
and an FOI Decision Maker will contact you.  

Should you have a query unrelated to FOI, please contact the Agency by
email at [9][email address] or via webchat at [10]NDIA Web Chat
(ndis.gov.au). Alternatively, you can also contact us by phoning 1800 800

Kind regards   

Freedom of Information Team  
Parliamentary, Ministerial and FOI Branch  
Government Division  
National Disability Insurance Agency  
E: [11][NDIA request email]     



Visible links
1. https://aus01.safelinks.protection.outlo...
2. https://aus01.safelinks.protection.outlo...
3. https://aus01.safelinks.protection.outlo...
4. https://aus01.safelinks.protection.outlo...
5. https://aus01.safelinks.protection.outlo...
6. https://aus01.safelinks.protection.outlo...
7. https://aus01.safelinks.protection.outlo...
8. https://aus01.safelinks.protection.outlo...
9. mailto:[email address]
10. https://aus01.safelinks.protection.outlo...
11. mailto:[NDIA request email]

foi, National Disability Insurance Agency

3 Attachments

Dear Josh


Thank you for your email.


We are writing to advise you that your request for information (below) is
not a valid Freedom of Information (FOI) request under s15 of the Freedom
of Information Act 1982 (FOI Act), and as a result, we are unable to
process it.


To be valid, a FOI request must:

o be in writing
o state that the request is an application for the purposes of the FOI
o provide information about the document(s) to assist us to process your
o provide an address for reply.


Please note that the FOI team provides access to documents, not
information. However, we note that your request is phrased in the form of
general questions and it does not provide information about the specific
documents you are requesting such as the type of documents being requested
or the dates the documents were created.


As such, we are sorry to advise that we are unable to process your
request. If you would like to make a new FOI request, you can do so at any
time by emailing [1][NDIA request email].


Please contact us if you have any queries or require assistance.


Kind regards


Freedom of Information Team

Government Division

National Disability Insurance Agency

E [2][NDIA request email]

[3]NDIA logo

[4]LGBTIQA+ rainbow graphic

The NDIA acknowledges the Traditional Custodians of Country throughout
Australia and their continuing connection to land, sea and community. We
pay our respects to them and their cultures and to Elders past, present
and emerging.

[5]Aboriginal and Torres Strait Islander flags graphic





show quoted sections

Josh left an annotation ()

Understood, the NDIA holds no information, reports or analysis on the mass email breach and associated, potentially affected systems, files or data.

Dear NDIA FOI officer

I would be grateful if you would assist with my application, in compliance with s15(3) of the FOI Act.
If you are not able or willing to assist, would you please identify the grounds on which you have rejected my application.

My understanding of the objects of the Act are that you are obliged to facilitate access to information, pursuant to s3 of the Act. I welcome your assistance to achieve this, through identification of the material (document, notes, charts) that contains this information.



Josh left an annotation ()

The National Disability Insurance Agency (NDIA), which is responsible for the NDIS, told a Senate committee it had confirmed with CTARS that all 9,800 affected participants had been notified.

But ABC Investigations has established this is not the case. The ABC spoke with 20 victims of the breach, all but one — who later found a notice in her junk mail — said they had not received a notification or even heard of the hack.