Chris Mordd Richards

About Chris Mordd Richards

Chris Mordd Richards is an independent freelance student journalist, currently enrolled at the University of Canberra studying a Bachelor of Journalism. Chris has been writing and publishing regularly since 2016 on a variety of online news sites, for the love and experience of it while he studies part time. Chris is also the Independent Australia Canberra Press Gallery Intern, and has covered a number of events from Federal Parliament in 2017. Chris has Asperger's and Bipolar disorder but seeks to live life to it's fullest extent regardless of not being neuro-typical. You can follow him on Twitter @Mordd_IndyMedia

NDIS meal provider caught using “Password123” for their clients, refuse to change it

The Good Meal Co, an NDIS-sponsored meal provider has been using the same default password for all the private details of their customers. When approached, they doubled-down on the system, stating that it was perfectly safe. 

 

 

 

A registered NDIS provider, The Good Meal Co, has been exposed using online security protocols for all its customer accounts that can only be described as 1990’s era security principles still in use in 2019.

This exposes hundreds if not thousands of NDIS recipients who contract with this provider, based on likely customer numbers, to possible fraudulent charges and exposure of their private data.

The Good Meal Co is one of only two companies accredited by the NDIS to provide pre-prepared meals to NDIS recipients if approved by their NDIS plan.

As a new customer of The Good Meal Co, I discovered last week that the provider is using an identical password for all its customer accounts for their online ordering system. Not only are they using the same password for all customers, but the password in use is “Password123”.

I discovered this because a Good Meal Co staff member openly revealed this to me in a phone conversation with them on Tuesday the 24th of September.

In willingly disclosing this information over the phone, they revealed to me the password of every single customer of theirs at the same time.

Combined with this knowledge all it would take is to discover another customer’s email address (used as the username for the accounts), and I could access any of the provider’s customer accounts.

If one were to do so, you could view any customers ordering history, all the addresses used for delivery of the meals to them.

When an order is placed, the NDIS recipient makes a copayment using a credit/debit card for the cost of ingredients (around $1.50-2 per meal), and the remainder of the cost for food preparation and delivery is charged to the recipients NDIS plan.

If someone wanted to exploit The Good Meal Co’s ordering system and login to someone else’s account, they could use a stolen credit card (easily obtained these days) and place an order for any amount of food they wanted, to any address they wanted.

The majority cost for this order would then be charged to the victims NDIS plan.

Considering how easily one might obtain a customer’s email address to get the username for their account, compromising the password is not then a difficult feat considering how simple the password is.

 

You could view any customers ordering history, all the addresses used for delivery of the meals to them.

 

The level of ineptitude and reckless disregard to modern industry standards and data privacy protection is beyond egregious, this is a vulnerability of utmost concern.

What makes it even more worrying is that The Good Meal Co staff member dismissed my concerns outright, stating they had always done it this way and it worked just fine.

I pointed out that they could be in breach of multiple regulations surrounding data privacy as well as out date with industry standards around online security.

They informed me that my concerns would be passed on, but it was unlikely they would change what they were doing.

It is not possible for customers to change their account password online either. I originally called the provider to find out how I could change my password after the initial login, as there is no function on their website to do this.

The provider changed the password for me, but they would then lose all access to my account and be unable to assist if I ever had any issues ordering via the website, according to the person I spoke with.

For that reason, they strongly encouraged all customers to never change the password.

 

The Good Meal Co homepage

 

I asked why they did not use a unique password per customer – shared between the customer and them. The staff member acknowledged that they probably should do that but reiterated that things worked just fine as they were.

It has now been over a week since I raised my concerns around this with the provider in that telephone call, and I have not heard back from them since, nor have I received an email notification from them of a password reset to my account.

I can only assume that they do not, and are not, taking the issue I raised seriously. This appears to be because they clearly do not see it as an issue in the first place.

To their viewpoint, all their customer accounts are perfectly safe this way and there is no reason for concern at all.

It is for this reason, along with the egregious nature of the vulnerability itself, that led me to the conclusion that the only ethical response to this situation was to publicly disclose the vulnerability. For the sake of the customers affected and in the clear public interest.

I choose to do so following ethical disclosure principles, which involved notifying the provider in writing of the serious nature of the vulnerability, and that I would be proceeding with full public disclosure in 48hrs time.

This was to allow the provider to mitigate the possible impact of the disclosure by resetting customer passwords and to ensure that they took the issue seriously and didn’t just attempt to brush off or ignore the issue as they did on the phone call.

I have also notified in writing, at the same time the provider was notified of the intent to disclose, the NDIS Fraud Taskforce and the Australian National Audit Office (ANAO), both of whom have an overview of all registered NDIS providers.

There is no way to know if this vulnerability has already been exploited and no-one has noticed thus far. The only way you would know, is if an NDIS recipient checked their order history on The Good Meal Co website and noticed an order they did not place.

Alternately a savvy Plan Manager (an accountant who manages the billing for an NDIS recipient), may themselves notice an unusual charge from the provider and discover a fraudulent order that way.

Hopefully, the provider has been lucky thus far, and no fraud has taken place thus far. The only way to know for sure though would be to conduct a full and thorough audit of the provider’s entire operations.

 

To their viewpoint, all their customer accounts are perfectly safe this way and there is no reason for concern at all.

 

I would strongly recommend all customers of The Good Meal Co immediately audit their order and billing history with this provider or ask their Plan Manager, to ensure they haven’t been a victim of fraud already due to this.

It is important to note that the other NDIS meal provider, Kinela (formerly Hit100), do not have this vulnerability.

When I asked them about their security protocols for customer accounts, Kinela assured me they use unique passwords for all customers.

Whilst they sent me a very simple initial account password as well, their site allows you to easily change the password yourself, and the password is not identical to other customer accounts.

There is no reasonable excuse for this kind of out-dated reckless approach to customer security and data privacy in 2019.

This policy was intentionally designed this way by The Good Meal Co, and not questioned since, as even the staff who answer the phones are fully aware of it and do not see it as an issue.

This is not a mistake, an oversight, or a weakness in software code, this is an intentionally dangerous implementation of security protocols in order to make things easier for the company staff.

This is a massive violation of customer privacy and trust, and an avenue for fraud easily perpetrated on NDIS recipients and the government funds they have been granted.

Any person with logic and common sense should be able to easily identify why the system in place here is far from adequate, it is staggering this has been allowed to go on for this long.

 

 

 

Comment has been sought from The Good Meal Co, the NDIS and the ANAO regarding this matter.

 

 

 

Share via