The ABC can reveal that sensitive medical data of nearly one in two Australians, stolen from e-scripts provider Medisecure, is now listed as 'sold' on the dark web. The company said last week that 12.9 million people had been exposed in the breach, which took place last year. Now, an online listing suggests that not only has it been sold, but it's being hawked a second time at the half price rate of 25 thousand dollars.
Category
📺
TVTranscript
00:00There are these two ads that have popped up on these dark web marketplaces.
00:07So these are the forums where data such as the MediSecure Trove are bought and sold.
00:14So the first ad popped up in May, advertising it for $50,000, saying one buyer only.
00:22And the story sort of went cold after that.
00:24That was the last news we heard.
00:25But now we can say that that ad, as you say, it's saying sold in big red letters.
00:33And there's a second ad that cropped up on a separate forum, but seemingly from the same
00:39user or a user using the same name, at least, Ansgar, and advertising it at that half price
00:46bargain bin rate of $25,000.
00:49The reason there, or the stated rationale at least, being that, well, I've sold it once,
00:54the second buyer, you're getting a discount.
00:57Anyone looking to buy data, people have different reasons.
01:02Some people are kind of building a bigger database, and some people are just looking
01:06to make a quick buck.
01:07Some people might be looking to resell the data.
01:10There are a range of uses that a cyber criminal might have for buying the data.
01:15In fact, sometimes companies themselves and governments, they buy it back.
01:21Not that that's necessarily disclosed.
01:24So it could be many, many buyers.
01:26But if it were someone looking to make money, they would be looking for a return on investment.
01:33And if you break down what this data is being sold for, sort of per dollar per person, it
01:39works out to be, at the original price, about $4 for 1,000 Australians details, $2 at the
01:45sale price.
01:47So you would only have to, I guess, exploit one of the 1,000 within that group to make
01:57that pay for itself.
01:59You'd have to do it many times over, but that's kind of the economics of that trade.
02:06We spoke to the Privacy Commissioner, Carly Kind, for this story as well, and she's taking
02:10more of a big picture view.
02:12She's looking at what the cumulative impact of the large-scale data breaches of the last
02:18few years is.
02:19So we're looking at Medibank, looking at Optus, you know, Latitude even, so many, many millions
02:26of Australians exposed in those breaches, some of them many times over.
02:32And she said that all does add up.
02:35There is the risk of a mosaic approach whereby bad actors, data brokers and others can now
02:41start to piece together the personal information that has been leaked on Australians through
02:47multiple data breaches.
02:49So certainly this recent breach risks aggravating an already bad situation.
02:55Privacy Commissioner Carly Kind there talking about the compounding effect of these kinds
02:59of breaches.
03:00We also had a statement from the National Cyber Security Coordinator, Lieutenant General
03:05Michelle McGuinness, who said that the government is aware of these ads.
03:11There's no sign at this point that the data is more widely available, that they can see
03:16at least.
03:17And she's repeated her advice to Australians to not go looking for the data as difficult
03:23as that may seem.
03:24People will obviously be worried, but she reminded us that it can in fact constitute
03:30a criminal offence in and of itself.