Mock Medicare cards featuring the legitimate details of Australian citizens are being sold on the dark web for less than $30.
A new report from The Guardian Australia has sparked fears of widespread identity theft, after it revealed any Australian’s Medicare card can be replicated on request.
“Purchase this listing and leave the first and last name, and DOB of any Australian citizen, and you will receive their Medicare patient details in full,” the vendor’s listing reportedly said.
The Guardian Australia journalist was able to buy his own Medicare card details from the vendor, using bitcoin equivalent to about $28.70 in Australian dollars.
The illegal vendor claims to be “exploiting a vulnerability” from a “solid foundation” to create the cards.
At least 75 Medicare card details have been sold since October 2016, when the vendor changed their method of selling the details, the listing reportedly claims.
Australian Federal Police (AFP) is investigating the claims.
Human Services Minister Alan Tudge said he’d been advised it was unlikely not the result of a cyber security breach.
“The advice I have received from the chief information officer in my department is that there has not been a cyber security breach of our systems as such, but rather it is more likely to have been a traditional criminal activity,” Mr Tudge said.
“Medicare card numbers alone have been obtained … Nobody’s health records can be accessed just with a Medicare card number.”
The department regularly investigates cyber security issues on the dark web, Mr Tudge said.
Acting Opposition Leader Tanya Plibersek said the government needed to explain the “very, very serious privacy breach”.
“It is absolutely critical that the government explain – today, immediately – how many records have been breached. When did the government find out that this security risk was occurring?” Ms Plibersek told reporters in Melbourne.
“What have they done to notify people whose records might have been sold?”
Assistant Treasurer Michael Sukkar said the government took the protection of data “extraordinarily seriously” and would do anything possible to secure it.
“It’s very alarming to me if any of that data is finding its way into hands that it shouldn’t be,” he told Sky News.
“All I can do is assure you that we will do absolutely everything possible to protect that data,” Mr Sukkar said.
“If that means more work and more upgrades to our system, then so be it.”
Labor opposition frontbencher Brendan O’Connor said there was a risk of invasion of privacy.
“People are rendering up, yielding their personal information to government agencies,” he told Sky News.
“They don’t expect them to be invaded or accessed so easily as this story would suggest.”
Banks et al often pay private infosec firms to monitor markets like this for their data. Does .gov.au do similar assurance for its datasets? https://t.co/yToExCkvEy
— Tim Watts MP (@TimWattsMP) July 3, 2017
Labor MP Tim Watts said the government should not be finding out about potential data breaches through journalists.
He said the government should monitor the dark web to detect whether their data has been compromised and sold.
“Banks et al often pay private InfoSec firms to monitor markets like this for their data. Does .gov.au do similar assurance for its data sets? … If not, why not?” Mr Watts wrote on Twitter.
“A ‘no comment’ from DHS isn’t good enough at this point either. Prima facie evidence of an exploit exposing this data demands explanation.”