cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

NSW Health affected in payroll software data breach, bank details compromised

NSW Health has revealed itself to have been affected by the recent Frontier Software data breach.

user icon Daniel Croft
Thu, 09 Mar 2023
NSW Health affected in payroll software data breach, bank details compromised
expand image

The state health ministry has announced that roughly 1,600 former and current staff have been affected by an attack that occurred at the end of 2021.

Frontier Software is a company that provides organisations like NSW Health with payroll software. NSW Health used the company between 2001 and 2015, meaning those who worked for the ministry within that period are at risk.

According to an FAQ it released on its website, NSW Health said that data affected could include name, phone number, residential address, tax file number, date of birth and bank details, including account number and BSB.


It did, however, confirm that no data that was compromised in the breach has been uploaded to the dark web and that Frontier Software has worked to prevent the data from being misused.

In the cases in which a TFN has been compromised, for example, Frontier Software has advised the Australian Taxation Office and has advised it to take additional security measures.

Speaking with ITNews, NSW Health has said that staff whose payroll was processed between 2001 and 2015 was affected but can no longer be accessed by unauthorised parties.

“Frontier Software has advised NSW Health that it took immediate steps to prevent the data from being leaked, and that the data is no longer accessible to unauthorised parties now, or in the future,” it said.

NSW Health has said that it has worked with the Frontier Software team through external cyber security and forensic specialists to identify who has been affected by the attack. Staff who have been affected are being notified via email, whilst ex-workers can contact a dedicated helpline at 1300 679 367.

While the attack occurred back in 2021, NSW Health is only now advising those affected. The ministry has said that this is the result of a long and difficult process to find out exactly who was impacted in the breach, comparing impacted data with all potentially impacted people and NSW Health data.

"This has been a complex and time-consuming exercise, complicated by the volume and largely unstructured nature of the data and the need to ensure in identifying, cataloguing and matching the data," it said.

"Having completed this very detailed exercise, we can confirm [if] you were impacted."

NSW Health no longer uses Frontier Software, after it replaced its payroll software with StaffLink in 2015.

The NSW Health breach once again raises the risk of data retention and the need for organisations to keep data that they perhaps should delete, such as that of ex-employees or ex and current employees of companies that an organisation no longer works with, such as Frontier Software.

The issue of data retention came to light following the major attack on Medibank, which saw a large number of former customers affected alongside current customers, for a total number affected of 9.7 million.

Home Affairs and Cyber Security minister Clare O’Neil called Australia’s data retention laws a “national vulnerability”.

“What we need to make sure is that companies are only holding data for the point in time where it’s actually useful,” she said.

Under the review of the Privacy Act being conducted by Attorney-General Mark Dreyfus, data retention legislation is being examined.

Currently, there is no data retention period established under the Privacy Act in Australia. Overseas, however, other countries have introduced data retention periods to prevent unnecessary data from being held and thus put at risk.

The EU’s General Data Protection Regulation (GDPR) says that data cannot be held indefinitely, with detailed data only allowed to be kept for a maximum of 14 months. The only exception for keeping data indefinitely is when a business is keeping it for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.