Cybersecurity experts say the highly sensitive data of 12.9 million Australians, stolen from eScripts provider MediSecure, has already been sold on the dark web and is up for sale again.
The 6.5 terabyte trove contains identifying details such as names, phone numbers, addresses, and Medicare numbers, as well as sensitive medical information such as which drugs people had been prescribed and why.
MediSecure confirmed in May it was the victim of a ransomware attack in 2023, and last week revealed the scale of the breach, which puts it among the largest in Australian history.
It was previously unclear if the data had been sold, but cyber threat intelligence analysts say there's a strong indication that at least one sale has taken place.
As previously reported by the ABC, the data of almost one in two Australians was initially listed for sale with a price tag of $50,000.
The ABC can reveal the post now lists the data as sold, and a subsequent post on a separate dark web forum offers to resell the entire trove at half price — for $25,000.
Neither ad specifies a currency, but the default on such marketplaces is usually US dollars.
Both appear to have been listed by the same user, who goes by the moniker "Ansgar".
"Basically what they're saying is, 'We have sold this to one person, so we're going to lower the price from the original $50,000 to $25,000'," Jamie O'Reilly, founder of Australian company, Dvuln, which provides cybercrime intelligence services to large businesses, said.
At the original price, a buyer would be paying roughly $4 for the data of 1,000 Australians, and only $2 at the reduced rate.
"The types of people that would want this information are people who are going to be leveraging it further to exploit people," Mr O'Reilly said.
He said at that price, it would offer a lucrative return on investment.
"The thought process a cybercriminal's going to go through … is 'how much is it going to cost per record?' And then 'how much money can I make per record or per person?'"
"Even one of those 1,000 Australians has [the] potential to pay for the rest of the 1,000."
Dealing in doubt on the dark web
The secretive nature of dark web marketplaces means verifying whether the data has been sold is a near-impossible task.
Sales such as this one take place between anonymous parties under the cloak of encryption, and cyber security operatives need to infiltrate specific forums to monitor trades.
"We've got to build relationships with these people online — who are not just stealing the information, but also trading it — all while not being detected," Mr O'Reilly said.
While absolute verification is largely beyond reach, Mr O'Reilly and multiple other cybercrime intelligence specialists the ABC has spoken to believe it's highly likely at least one sale has taken place.
"I'm very confident that if someone has this data out there, which they clearly do, they would have found a way to monetise it," he said.
"This forum has been around for quite a long time, more than 10 years, and they do have a good reputation.
"If it does say sold, then I would assume by all means it was sold.
"What I don't know is the exact figure … did it sell for only $2,000 or $20,000?"
Mr O'Reilly says another unknown is when such a sale would have taken place, and that it could have happened any time after the initial ad was posted.
In a statement to the ABC, the National Cyber Security coordinator Lieutenant General Michelle McGuinness said "the Australian government is aware of continued advertisements that purport to contain a dataset exfiltrated from MediSecure".
"We have not seen any information to suggest any data outside the initial sample has been published."
She also reiterated her advice to Australians not to go looking for the data.
"No one should access stolen sensitive or personal information … It can be a criminal offence to deal in stolen personal information and we should not feed into the business model of cyber criminals."
Breach adds missing pieces to a criminal 'mosaic' of data
Each large-scale data breach heightens the risk for Australians, according to the Privacy Commissioner Carly Kind.
"There is the risk of a mosaic approach whereby bad actors, data brokers, and others can now start to piece together the personal information … through multiple data breaches," she said.
MediSecure is just the most recent in a string of Australian companies to find itself compromised in such a way — Optus and Medibank were breached in 2022, and financial services company Latitude followed in 2023, with each incident affecting millions.
"So certainly, this recent breach risks aggravating an already bad situation," Commissioner Kind said.
"Most Australians should assume that at some point, their information has been out there at different levels," Mr O'Reilly said.
"All of this information put together in the right hands can be used against them."
Cyber intelligence experts say more breaches are likely taking place than are being publicly reported.
"There's this misconception that if you are hacked, it will be on the news," Mr O'Reilly said.
"This has only been a trend with ransomware because it fits their business model.
"There is a whole other world of hackers who existed way before ransomware gangs existed, who still just want to be quiet.
"It's important for companies to remember … just because it isn't in the news doesn't mean you haven't been hacked.
"The onus is on organisations and businesses to really take steps to protect individual Australians now," Commissioner Kind said.
"And that means looking after the data that they hold, but it also means not collecting and holding information that they don't need."
Loading...