The ABC can reveal that sensitive medical data of nearly one in two Australians, stolen from e-scripts provider MediSecure, is now listed as 'sold' on the dark web. The company announced last week that 12.9 million people had been exposed in the breach, which occurred last year. Now, an online listing indicates that not only has the data been sold, but it is being offered a second time at the reduced price of $25,000.
Category
📺
TVTranscript
00:00There are these two ads that have popped up on these dark web marketplaces.
00:08So these are the forums where data such as the MediSecure Trove are bought and sold.
00:15So the first ad popped up in May, advertising it for $50,000, saying one buyer only.
00:22And the story sort of went cold after that.
00:24That was the last news we heard.
00:26But now we can say that that ad, as you say, it's saying sold in big red letters.
00:34And there's a second ad that cropped up on a separate forum, but seemingly from the same
00:40user or a user using the same name, at least, Ansgar, and advertising it at that half price
00:46bargain bin rate of $25,000.
00:50The reason there, or the stated rationale at least, being that, well, I've sold it once,
00:55the second buyer, you know, you're getting a discount.
00:58So how legit is that second sale and second sale price?
01:01I mean, has it actually been sold the first time?
01:04Well, this is the thing about the dark web and about these forums that we're talking
01:08about is it's really impossible to verify in a complete sense.
01:15The people who monitor these and sort of feed the information back to me, they've had to
01:19essentially infiltrate these places by winning the trust of people in that community posing
01:26as hackers.
01:27And, you know, it's quite nefarious and shadowy.
01:30And so they've had to go on.
01:31And then once you're on there, you know, it's encrypted and everyone is anonymous.
01:35And so the only way to truly verify would be to buy the data yourself.
01:39And we're not recommending that anyone do that.
01:41And I certainly haven't.
01:42But yeah, what we have been told by the cybersecurity specialists who do monitor those spaces for
01:49us is that it would be very confident that the data has changed hands at some point.
01:57What they paid, who bought it, we can't know, but there would have been plenty of people
02:02interested.
02:03OK.
02:04So if that's the case, even though it's not an absolute given, but if it has been sold,
02:07what is the sale of that data mean to the almost 13 million Australians affected?
02:13And how might someone who buys this data use it?
02:17So anyone looking to buy data, they look, you know, people have different reasons.
02:23Some people are kind of building a bigger database and some people are just looking
02:27to make a quick buck.
02:28Some people might be looking to resell the data.
02:31There are a range of uses that a cyber criminal might have for buying the data.
02:36In fact, you know, sometimes companies themselves and governments, you know, they buy it back.
02:42Not that that's necessarily disclosed.
02:44So it could be many, many buyers.
02:48But if it were someone looking to make money, they would be looking for a return on investment.
02:54And if you break down what people, what this data is being sold for sort of per dollar
02:58per person, it works out to be at the original price, about $4 for a thousand Australians
03:04details, $2 at the sale price.
03:08So you would only have to, I guess, exploit one of the thousand within that, you know,
03:16within that group to make that pay for itself.
03:20You'd have to do it many times over, but, you know, that's kind of the economics of
03:25that trade.
03:27We spoke to the Privacy Commissioner, Carly Kind, for this story as well.
03:31And she's taking more of a big picture view.
03:33She's looking at what the cumulative impact of the large scale data breaches of the last
03:39few years is.
03:40So we're looking at Medibank, looking at Optus, you know, Latitude even.
03:46So many, many millions of Australians exposed in those breaches, some of them many times
03:51over.
03:53And she said that all does add up.
03:56There is the risk of a mosaic approach whereby bad actors, data brokers and others can now
04:02start to piece together the personal information that has been leaked on Australians through
04:08multiple data breaches.
04:10So certainly this recent breach risks aggravating an already bad situation.
04:16Privacy Commissioner Carly Kind, they're talking about the compounding effect of these kinds
04:20of breaches.
04:21We also had a statement from the National Cyber Security Coordinator, Lieutenant General
04:26Michelle McGuinness, who said that the government is aware of these ads.
04:31It's not, there's no sign at this point that the data is more widely available, that they
04:37can see at least.
04:39And she's repeated her advice to Australians to not go looking for the data, as difficult
04:44as that may seem.
04:45People will obviously be worried, but she reminded us that it can in fact constitute
04:51a criminal offence in and of itself.
04:53OK, Angela Vopier, thanks for the update.
04:55Thanks.