Experts warn stolen data of 12.9 million Australians from MediSecure up for sale on dark web
Cybersecurity experts say the highly sensitive data of 12.9 million Australians, stolen from e-scripts provider MediSecure, has been listed as 'sold' on the dark web and is up for sale again at a bargain price. The ransomware attack took place last year, and just last week, the now-defunct company revealed the scale of the breach. Online security specialist Jamie O'Reilly says it's a worrying development.
Category
đŸ“º
TVTranscript
00:00The place that this is being listed as sold is a well-known crime forum where cybercriminals
00:07congregate and sell information.
00:09It does have a high respect in the criminal world, so we have to take that with some truth.
00:15However, this user was a new member on the scene, so to speak, that only had an account
00:19created for around one month.
00:21So their reputation isn't the best in that cybercrime world.
00:25So the government and other private parties are still trying to grasp, has this data actually
00:30been traded around?
00:32What sort of price are we talking here?
00:34So the prices that we've seen are $50,000.
00:37That doesn't indicate whether that's Australian or US dollars, but typically they talk about
00:41US dollars when they're selling this information.
00:44So considering how many people are affected by this, that's a pretty cheap price for our
00:49data really, isn't it?
00:50It is.
00:51And I think if you're a criminal, the calculation you make is how much money can I make per
00:55individual's information that I actually purchase.
00:58And yeah, it's quite a good ROI from a criminal's perspective.
01:02And I hear on sale again on there.
01:05Correct.
01:06So we've seen that the criminal is purporting that they've sold it to one person and now
01:10they're going to sell it half price to the next person because they don't want to sell
01:13it to more than two people.
01:15Now, Jamie, this has affected so many of us, as we just said.
01:18So can you just recap for us what sort of information has been taken here?
01:21Yeah.
01:22So thanks to the statement coming officially from the company MediSecure, we know that
01:25there's at least full names, date of births, Medicare numbers.
01:30In some of the screenshots, there's references to driver's licences as well, but we don't
01:34know how many of those might be in the data set.
01:37Now, we have a fair idea what can be done with this information, but what are we expecting
01:41here?
01:42So in this case, we really think that this is going to be used by criminals to further,
01:46you know, defraud and launch attacks against individuals.
01:51Do we think we'll find out who was behind this sale and who would be the buyer of this
01:56information?
01:57I don't think the buyer will really come out and make themselves known.
02:00I think the person selling it may be, you know, arrested in the future, but it's hard
02:06to say.
02:07And this is more of our data out there.
02:09So there is a cumulative effect here, isn't there?
02:12There is.
02:13And so this data out there can be used by a range of criminals.
02:17We don't know, will this go public?
02:19In some cases with other attacks, the data has gone completely public after it's been
02:24stolen.
02:25So another call for organisations, businesses to better protect our data.
02:29Is there a bright spot here?
02:30Are they?
02:31Yeah, there is.
02:32Look, it's a great lesson in the fact that, you know, a lot of...
02:35It's obvious for medical data, but no matter what your business is, criminals will find
02:39value in it.
02:40So it is worth protecting.
02:42And given that you outlined there and recapped the data that's been stolen, I mean, that's
02:45data that can't really be changed once it's out there.
02:48It's a little bit too late, isn't it?
02:50It is.
02:51This is a challenge.
02:52Historically, our infrastructure around the globe isn't really set up to, you know, rotate
02:57and expire certain things like driver's licences.
03:00But as we move forward, things like digital IDs will definitely help with this.