Minister for human services Alan Tudge has claimed the black market sale of personal data did not come from an electronic intrusion of Medicare systems, but rather “traditional criminal activity”.
The Guardian reported on Tuesday that for $30 it was able to purchase a staff member’s details from a seller on the dark web. The department of human services then referred the matter onto the Federal Police.
When asked about the scale of the data leak, the minister told journalists in Canberra that “the numbers involved are very small”.
“I will simply say that the advice I have received from our chief information officer is that there has not been a cybersecurity attack on our systems as such, that it is more a traditional criminal activity.”
The minister declined to say whether this meant a person legitimately employed in the medical community was leaking data out to the merchant.
Technology security expert Troy Hunt told Business Insider that the behaviour of the merchant suggested he or she did not have a large database containing millions of Australians.
“It looks much more like a vulnerability somewhere in the system which allows you to pull out just that tiny piece of information, appearing on an individual basis.”
In a twist on Tuesday afternoon, the journalist that broke the original story, Paul Farrell, was contacted by the Medicare fraud team to inform him that his card had been compromised.
Just had a call from DHS Medicare fraud division to let me know that my Medicare card is probably compromised now.
…thanks I guess?
— Paul Farrell (@FarrellPF) July 4, 2017
Minister Tudge said that this was standard practice, while declining to say whether every person that’s had their data stolen had been identified and contacted.
“If the department believes someone’s Medicare card has been compromised, they will be contacted by my department and informed and I presume the journalist has been informed about this in line with standard practice.”
Hunt told Business Insider that if the authorities were smart, they would just pay the $30 fee a few times to the seller to locate where in the system the records were being accessed.
“[With this data] you can’t go into another website and login as someone’s Amazon account and buy stuff. But it’s serious in another way because if this is used for any sort of impersonation… the risk we then have is identity theft, which is much more nastier.”
Despite the threat of identity theft, the minister took the opportunity to downplay the breach and criticise the Labor opposition for “scare-mongering”.
“Tanya Plibersek herself, used to be a human services minister. She knows exactly what the situation is. And that is no one’s health records can be obtained just with a Medicare card number.”