An employee of the National Disability Insurance Agency (NDIA) has been arrested and charged for leaking recipients’ data. Another individual who allegedly received the information and posed as an NDIS provider has also been charged. The NDIA has not disclosed the number of impacted participants but has stated that the leaked information included participants’ full name, date of birth, gender, and address. There is no evidence to suggest that the personal information has been distributed beyond the network under investigation. The NDIA has not disclosed when the unauthorized disclosure was first detected. The investigation into a disability service provider led to a raid on a Sydney residence where the NDIS staff member lived, resulting in charges related to the unauthorized disclosure of protected agency information. Additionally, a separate premises in Sydney was searched, and two individuals acting as NDIS providers were questioned, with one later being charged. Both individuals and their associated provider companies have been barred from delivering supports to NDIS participants. The NDIA believes the incident is financially motivated and will directly contact all impacted individuals. In cases where the level of personal information disclosed puts a participant at greater risk, the NDIA has contacted the participant or their support network to ensure their welfare and continued receipt of disability-related supports. The NDIA was also affected by the HWL Ebsworth breach earlier this year, which exposed information from multiple federal agencies. In October, the NDIA revealed that 645 participants’ and prospective participants’ information was included in the 1.1 TB of hacked data, and it took six weeks to notify all of them.