Services Australia brushes off vulnerability concerns in COVID-19 digital certificates


Campbell Kwan

Written by

Campbell Kwan, Journalist

Campbell Kwan

Campbell Kwan

Campbell is a journalist for ZDNet, covering technology’s impact across the gamut of government, law, and regulation.

Full Bio

on January 5, 2022

| Topic: Security


Image: Cameron Spencer/Getty Images

During Australia’s federal Budget Estimates last year, Services Australia was grilled by senators about various initiatives under its remit, from the COVID-19 digital certificate rollout to the bungled robo-debt scheme.

Of concern to Labor Senators Tim Ayres and Nita Green was the alleged lack of security of Australia’s COVID-19 digital certificates, with both of them criticising the certificate for being easily forged through man-in-the-middle cyber attacks.

Providing responses to the senators’ concerns, Services Australia said it was aware of reports concerning man-in-the-middle cyber attacks via the Medicare Express Plus app, but brushed off the concerns by merely saying such attacks “require significant knowledge and expertise”.

It added that there are currently no vulnerability disclosure programs in place nor any future plans to implement such a program for the digital vaccination certificates. This is despite security researcher Richard Nelson last year detailing the difficulty for the private sector and the public in reporting vulnerabilities about the certificates to government, which was referenced by Ayres during Budget Estimates.

Services Australia also said the Digital Transformation Agency (DTA) had no plans to consider establishing bounty programs.

“Services Australia takes the integrity of the Medicare system and the Australian Immunisation Register extremely seriously,” Services Australia said in its response to questions on notice.

“Full cyber assessments are undertaken several times a year and we work closely with the Australian Signals Directorate and Australian Cyber Security Centre on potential vulnerabilities on mobile applications.”

As of the end of October, over 12.3 million Australians have downloaded COVID-19 digital certificates, the agency said in another response.

For Australia’s other federal COVID-19 product, COVIDSafe, the DTA provided an update that monthly costs to run the app have been around what it expected of around AU$60,000 a month since it took over responsibility for the app. As of early October, there are 7.7 million COVIDSafe registrations, DTA added.

The DTA had also been asked by Labor Senator Marielle Smith during Budget Estimates on how many people had downloaded the app and then deleted it, but the agency said it does not track that data. 

In regards to questions about Service Australia’s progress in refunding wrongly issued robo-debts, the agency provided more information about the people who are still yet to receive a refund.

The agency said there are now around 8,500 people who are yet to receive a refund. Of these, 501 are deceased estates, 280 are incarcerated, 539 are indigenous, and 106 had a vulnerability indicator on their customer record at the time they were last in receipt of payment.

Services Australia explained that these refunds had not been processed yet as the victims have not provided bank details to the agency in order to receive the payment.

A Senate Committee inquiring into the robo-debt system is still awaiting for Services Australia and Minister for Government Services, Linda Reynolds, to provide documents about the legal advice Services Australia received in implementing robo-debt. Both have refused to provide that information under claims of public interest immunity.

Related Coverage

Aussies still using COVIDSafe but it only found two potential contacts during lockdownsHow Australia’s tech-savvy COVID-19 response is leaving CALD communities behind
Black market traders cash in on fake COVID-19 vaccination records
Robo-debt inquiry wants Reynolds to face Senate if she continues to refuse to cooperate
Services Australia defends use of Excel in rectifying robo-debt errors
Robo-debt committee refuses to accept Minister Reynolds’ immunity claim


Security TV

Data Management


Data Centers