Government’s GPMS bungle worsening – My Aged Care’s backend supplier Salesforce reportedly hacked and clients’ data leaked to readily awaiting internet

With recent confirmation that Salesforce has been hacked, and numerous client data compromised, pressure mounts on government to front serious questions about how money is being spent in the digital advancement of the aged care portfolio. With My Aged Care being serviced by Salesforce as the backend supplier, providers and residents alike deserve to know if, and what, highly sensitive data has been compromised and possibly leaked.

GPMS blowout and now hack – Insult to injury

The hack has compounded frustrations in an already widely acknowledged budgetary and planning bungle when it comes to the government and Salesforce. What started out as a $13.5 million tender to build the Government Provider Management System (GPMS), ballooned to close to $150 million, footed by the taxpayer and providers. Lauded by the Commonwealth as the solution to provide sleek compliance and elevate care, the GPMS system, build on Salesforce technology has been nothing but a headache for providers, the taxpayer, with little to show for supporting the care of the nation’s most vulnerable seniors. Now with Salesforce’s vulnerabilities potentially highlighted by the recent hack, more questions than ever are heading Canberra.

Salesforce hacked

Reporting by SecurityWeek notes that a “threat actor” group calling themselves “Scattered LAPSUS$ Hunters” has posted that 39 clients of Salesforce were targeted in their recent hacking campaign. The group claims that they were able to extract sizable troves of data from Salesforce servers and quickly threatened to leak it if a ransom was not paid.

Possible compromise – My Aged Care

While My Aged Care or any government departments have not overtly been listed, companies marked as compromised by the group include Qantas, Allianz, Google and Workday, all heavily used in Australia. The hackers have announced the theft of around  1 billion records of personal or sensitive data of clients, SecurityWeek reports.

Another media platform able to contact the hackers were told that further businesses were compromised as well but not publicly listed, elevating the need for government and police investigation on behalf of all GPMS users, and user information to be speedily investigated.

Leaked data

The hacking coalition claim to have recently made good on their threat, to leak the data they say is from the attack on Salesforce at the end of September/early October.

In a move that is becoming eerily common, Salesforce publicly stated that the recent extortion attempt was unsubstantiated, in that it was related to, “past or unsubstantiated incidents”. In early October they refused to comply with hackers demands. Subsequently, the hackers state they have made large amounts of data publicly available on their Tor-based leak site.

In an increasingly concerning response by large companies who have had customer’s sensitive information hacked and distributed, Qantas stated four days ago, “In July Qantas proactively advised all impacted customers of the types of their personal data that was contained in the impacted system and this has not changed”.

A more deserving public

The appetite for contrite platitudes about transparency of what data is leaked, and ‘tips and tricks’ in how to respond when personal information has been accessed is long wearing thin for the majority of Australians, and providers alike.

From the Optus hack, to Qantas, and potentially now Qantas again, the flippant and painfully clinical and distanced reactive attitudes of companies is in dire need of legislative overhaul and punitive measures.

Particularly as it stands, with Salesforce being the source of staggering increase in cost to the taxpayer with GPMS and potential compromise of highly sensitive data of Australia’s seniors, there is a grave need for investigation and safeguarding.

With the GPMS blowout being not in just costs, but in delayed functional use promised to providers, there is absolute need for the government to not only examine how the aged care department handles contracts and relationships with big tech, but to specifically front questions about the depth of the bungles and plans to mitigate future errors and vulnerabilities.

The government is quick to remind providers that the future is digital, it must accordingly substantiate how itself will meet that shift with economy, intelligence and aptitude.

Pre-emptive excellence over re-active flailing

Not only if My Aged Care has been compromised in the hack with Salesforce but in the bungling of cost and support to a sector that needs quality to provide quality, the Australian public, its seniors, and hard-working aged care personnel deserve better management, policy and guardrails.

The sector is expected to sustainably achieve excellence, the same must said of government processes. As the changing digital landscape continues to careen forward in progress and new threats, the aptitude of government must be lifted when operating in the digital space it so ardently wants adopted by providers across the nation.