Cyber criminals are holding major care provider Anglicare to ransom with fears highly sensitive information about vulnerable children has been stolen in a hack.
Cyber criminals are holding major care provider Anglicare to ransom with fears highly sensitive information about vulnerable children has been stolen in a hack.

Anglicare cyber attack sees sensitive child data stolen

Cyber criminals are holding major care provider Anglicare to ransom with fears highly sensitive information about NSW's most vulnerable children has been stolen in a database hack.

The non-for-profit provider of foster care and aged care services was targeted in a ransomware attack on August 31.

Hackers have demanded payment for the return of stolen data.
Hackers have demanded payment for the return of stolen data.

More than 17 gigabytes of data from Anglicare servers in Sydney was sent to computers in New Zealand with the thieves demanding payment for its return.

One source said the data could likely include psychologists reports, records of children whose parents are incarcerated for violent offences, parenting capacity assessments and school records - which NSW Family and Community Services shares with Anglicare as a service provider.

Anglicare said it would not negotiate with the cyber thieves.

"There has been a ­demand for a ransom as you might expect with a ransomware attack," a spokesman said.

"Anglicare's incident ­response plan seeks to avoid entertaining engaging with cyber criminals."

MORE FROM BEN PIKE:

Parents of north shore suicide victim speak out

Elite private schools accused of suicide secrecy

NSW Police said it was conducting inquiries. Anglicare has also notified the Australian Signals Directorate, the top-secret agency responsible for national cyber ­security.

Anglicare provides child protection, housing and counselling services to FACS.

It said there was "no current evidence that data has been stolen".

"We have identified 17GB of data transmission to a remote location and this forms part of the forensic investigation in progress; it is therefore premature to speculate on the impact."

"In the event that we determine personal information has, or is likely to have been, accessed, we will inform affected individuals in accordance with our commitment to privacy and other obligations to clients, staff and other stakeholders.

Download our app and stay up to date anywhere, anytime

"Anglicare took immediate steps to isolate and block the unauthorised access to our systems."

But FACS chief information security officer Matthew Fed­ele-Sirotich issued a dire warning to staff about the fallout.

"We should assume that the threat actor has a substantial amount of data," Mr Fedele-­Sirotich said in a September 3 email to senior bureaucrats.

"It could be client data, it could be data we have shared with them. This could be ­released into the public arena."

The email said the majority of Anglicare servers have been affected, including every employee's username and password.

Anglicare claims the ransomware impacted Anglicare Sydney's systems and not government systems.

"Very limited analysis has led them to believe that they were exploited via a partners account," Mr Fedele-Sirotich said.

What you get as a subscriber to The Daily Telegraph

"Given they have yet to undertake forensics to properly understand records etc, we should consider their network to still be at threat if not still breached."

 

PSA general secretary Stewart Little.
PSA general secretary Stewart Little.

 

There are fears private information about vulnerable children could become public.
There are fears private information about vulnerable children could become public.

Public Service Association general secretary Stewart Little said: "The NSW Government needs to do an urgent review of all providers of cyber security systems but ultimately it needs to bring this data back into its control and end this failed experiment with privatised essential services."

NSW Police said they are "aware of the matter and are conducting inquiries" while the company also notified the Australian Signals Directorate.

A NSW government spokesman said it was not aware of any impacts on government systems or ser­vices from the cyber attack.

"Cyber Security NSW, together with DCJ, is working closely with Anglicare to assist with their investigation and response to the incident," he said.

Cyber security expert Nigel Phair.
Cyber security expert Nigel Phair.

Former AFP officer and cyber security expert Nigel Phair said most private organisations do not have the same level of security as government departments - which are required to comply with the ACSC Essential Eight mitigations.

Anglicare said it is already underway in implementing the Essential Eight.

"Governments outsource to cut costs and one of the places companies cut costs is cyber security," Mr Phair, director of UNSW Canberra Cyber, said.

"The figure of 17GB is huge; this may impact thousands of people."

In 2018 FACS database ChildStory was slammed for glitches and security concerns.

Originally published as Anglicare cyber attack sees sensitive NSW child data stolen