Online hack of ACT's container refund scheme foiled but tighter security on the way

Several schools take part in the ACT’s Container Deposit Scheme (CDS). Photo: ACT Government.

Online hackers attempting to steal money from customers of the ACT’s container deposit scheme might have been thwarted, but the operator warns now might be the time to double-check the strength of your password.

“Unknown persons mimicking express account holders had attempted to enter the customer accounts and transfer express account balances to another bank account,” customers were told in an email on Tuesday (24 January).

“Fortunately, our security protocols within the ACT express system ensured that this attempt at fraudulent activity was unsuccessful.”

Launched in July 2018 to reduce waste and greenhouse gas emissions, the Container Deposit Scheme (CDS) enables Canberrans to take eligible drink containers to return points and receive a 10-cent refund for each container.

Up to 66 per cent of adults in the ACT claim to have taken part in the scheme, and a total of 217 million containers have been returned via the ACT’s 20 return points. Up to 192 million containers have also been retrieved from waste obtained through kerbside collections.

Customers can either accept their refund in cash or set up an online account with the return point operator, Re.Turn-It. The electronic refund appears in your Re.Turn-It online account within a few business days before you can transfer it to a nominated bank account or donate it to charity.

ACT local Ryan Gilligan taking part in the CDS. Photo: ACT Government.

Following the attempted hack, Re.Turn-It temporarily disabled the ability to change bank account details while extra security patches were added to the system.

“The ACT Express system has not been breached, and the unauthorised attempt appears to be by individuals attempting to access login and password details from the customer accounts,” users were told.

“Customers with strong, unique passwords should be protected from this attack.”

The Transport Canberra and City Services (TCCS) directorate, responsible for the scheme, said restrictions will remain in place for “a few days” while Re.Turn It finalises the security patches and strengthens protections in the Express system.

“Re.Turn It has also contacted all Express Account customers whose bank account details were changed in the 72 hours prior to the attack and each customer has confirmed the changes were genuine and made by them,” a spokesperson said.

“Re.Turn It has been working closely with consultants and software developers to implement further security enhancements and software improvements that can mitigate the impact of similar attacks.”

The Australian Cyber Security Centre has also been notified of the breach.

It’s the third blow to the ACT’s recycling in the space of a few months after the collapse of Australia’s largest soft-plastic recycling program, REDcycle, in November 2022, and then the gutting by fire of the Material Recovery Facility (MRF) in Hume on Boxing Day.

The ACT Government announced plans to expand the scheme late last year to possibly include wine, spirit and cordial bottles as the states and territories look to standardise what containers they’ll accept across jurisdictions.