During Australia's federal Budget Estimates last year, senators questioned Services Australia on a variety of initiatives under its purview, ranging from the COVID-19 digital certificate rollout to the botched Robo-debt programme.
The purported lack of security of Australia's COVID-19 digital certificates concerned Labor Senators Tim Ayres and Nita Green, with both accusing the certificate of being easily falsified by man-in-the-middle cyber-attacks.
Fenn Bailey, a Melbourne-based software developer, discovered the security flaw in September 2021 after reading about previous publicly disclosed flaws. He observed that the government was using a "high-school grade permissions password" to prevent unauthorized people from altering or copying vaccination certificates. Mr. Bailey discovered that it was then possible to change a name or the vaccinated status on the certificate.
Responding to the senators' concerns, Services Australia stated that it was aware of reports of man-in-the-middle cyber assaults using the Medicare Express Plus app, but dismissed the worries by stating that such attacks "need significant knowledge and skill."
It further stated that there are no existing vulnerability disclosure mechanisms in existence, nor are there any plans to develop such a programme for digital vaccination certificates in the future. This is despite the fact that security researcher Richard Nelson detailed last year the difficulty for the private sector and the general public in disclosing issues about certificates to the government, which Ayres mentioned during Budget Estimates.
"Services Australia takes the integrity of the Medicare system and the Australian Immunisation Register extremely seriously," Services Australia said in its response to questions on notice. "Full cyber assessments are undertaken several times a year and we work closely with the Australian Signals Directorate and Australian Cyber Security Centre on potential vulnerabilities on mobile applications."
The Digital Transformation Agency (DTA) released an update for Australia's other federal COVID-19 product, COVIDSafe, stating that monthly costs to run the app have been approximately what it expected of around AU$60,000 per month since it took over responsibility for the app. During Budget Estimates, Labor Senator Marielle Smith asked the DTA how many individuals downloaded and then removed the app, but the agency said it does not track that data.
In response to complaints regarding Service Australia's progress in refunding incorrectly issued Robo-debts, the agency supplied additional information about the clients who have yet to get a refund.
According to the organization, approximately 8,500 customers have yet to get a reimbursement; 501 are deceased estates, 280 are incarcerated, 539 are indigenous, and 106 had a vulnerability indicator on their customer record at the time they were last paid.