CNET también está disponible en español.

Ir a español

Don't show this again


Medicare details of 'any Australian' sold on the darknet for $30

Forget the political slogans: This is the real Mediscare.

Medicare Becomes Key Election Issue As Pressure Mounts To Lift Rebate Freeze
Brendon Thorne/Getty Images

In the age of identity theft, private information is only ever a click away. And in the case of getting the Medicare records of any Australian, it's only going to cost you $30.

The Australian Federal Police has confirmed it is investigating a data breach at the Department of Human Services (DHS), after private Medicare details emerged on an auction site on the darknet.

The so-called "Medicare Machine," uncovered by reporters at The Guardian, offers private Medicare details to anyone requesting them, all for a fee of 0.0089 bitcoin -- equivalent to AU$30.50.

The hacker or hackers behind the Medicare Machine claim to be "exploiting a vulnerability" in DHS systems, which allows access to information on "any Australian citizen."

It's not the kind of data you'll be able to dig up just by Googling. Both the data for sale and the auction site itself are only accessible through the darknet -- a network that cannot be indexed or accessed by regular search engines or internet browsers.

The darknet is home to any number of shady and straight up illegal operations online, and it requires a dedicated browser (such as Tor) to access. But once you're in, this part of the dark web offers up drugs, illegal goods and even hacked login credentials, all to the highest bidder. Think of it like the internet of the Upside Down.

While Medicare details might not seem like the big leagues of hacking and data breaches, in the right hands, the data could be incredibly valuable to identity thieves. Think potential access to health records, scamming for Medicare rebates or even personal information that then opens the doors to impersonating the victim elsewhere online. Faked in the right way, a plastic card with a name and Medicare Number could even be used to provide 25 points of identification in a 100-point identity check.

Minister for Human Services Alan Tudge issued a statement confirming that the matter has been referred to the AFP and that reports are "being taken seriously by the government and are under investigation.

"I cannot comment on cyber operations, however, I confirm that investigations into activities on the dark web occur continually," he said. "The security of personal data is an extremely serious matter. Thorough investigations are conducted whenever claims such as this are made."

However, it unclear is whether the DHS even knew about the breach (or a potential vulnerability) before today's revelations.

The minister did not comment on the risk for Australians in general, but rather responded to claims that a Guardian journalist was able to access his own data on the site.

"I have received assurance that the information obtained by the journalist was not sufficient to access any personal health record. The only information claimed to be supplied by the site was the Medicare card number. The journalist was asked to provide his own name and date of birth in order to obtain the Medicare card number."

It's certainly not a good look for the DHS on the digital front. The department spent the start of 2017 dealing with the fallout of the so-called "Robo-Debt" debacle, which saw Centrelink customers hit with erroneous debt-collection notices after the department attempted to automate debt systems.

CNET asked DHS whether it was aware of the breach, what it has done to address the incident and what it is doing more generally to shore up security for its major portfolio of services. The department did not respond to these questions, pointing us instead to Minister Tudge's statement. 

But with a data breach of this size, one thing is clear: plenty more Australians will soon be asking the same questions. 

Special Reports: CNET's in-depth features in one place.

Virtual reality 101: CNET tells you everything you need to know about VR.