There’s one thing the government can do to quickly catch the Medicare data seller

Photo: David McNew/Getty Images

A tech security expert has suggested government authorities pay for the dark web service that returns Australians’ Medicare details, in order to track where the breach is occurring.

On Tuesday, The Guardian broke the news that for $30 it purchased a staff member’s details from the dark web vendor. The department of human services referred the breach onto the Federal Police.

Security expert and creator of Have I Been Pwned website Troy Hunt told Business Insider that if the law enforcement agencies were “smart”, they would simply pay for the service themselves a few times to track how and where the data was being accessed.

“They would fly the radar until Medicare can pull the thing apart and figure out what’s going on,” he said.

“The trick for [the government] now will be that inevitably it’s a large and complex system… so they have to look at everything from server logs to lines of code and figure out where is that one place where an arbitrary unauthorised third party can query the system and pull out a piece of information.”

Co-founder and chief executive of Israeli cybersecurity firm Votiro, Itay Glick, said that deliberately placing some fake data then purchasing it could assist in investigations.

“A technique that’s used to narrow down the location of a breach is to include a portion of fake or dummy data that is unique to each version of the data set, and then attempt to purchase that specific piece of dummy data.”

“If you can purchase it, then you immediately know which set has been leaked. After that, it would make sense to do a forensic analysis on the organisation or site of the breach.”

On Wednesday, human services minister Alan Tudge maintained that the data leak was not from a cyberattack or a system flaw, but a legitimate account that had been taken over by an unauthorised person.

“In the past, we’ve had people literally break into doctors’ clinics to seize Medicare card numbers,” he said on Sky News, adding that people’s health records were not at risk.

“I want to emphasise that it’s highly unlikely that it was a cybersecurity attack as such, and much more likely that it was a traditional criminal activity.”

Hunt told Business Insider that even though the information obtained through the breach in itself may not be directly useful, the bigger consequence for victims would be identity theft — using the Medicare data to create fake identifying documents.

“[With this data] you can’t go into another website and login as someone’s Amazon account and buy stuff. But it’s serious in another way because if this is used for any sort of impersonation… the risk we then have is identity theft, which is much more nastier.”

The information requested by the dark web merchant – first name, surname and date of birth – are precisely the mandatory fields for the HPOS online tool, which allows medical professionals to pull up patient details without having to manually contact the department of human services.

Tudge also told Sky News that he has briefed the head of Australian Medical Association, Michael Gannon, on the issue.

Votiro director Daniel Sekers said that if the hacker had enough skills to tap into Medicare’s systems, they would be good enough to “hide their tracks”.

“Even if they did find the perpetrator or group, it is highly likely that they are in a country with no legal recourse or extradition,” he said.

If the breach was known before the news broke publicly, Sekers added, the government should have made it known earlier to set an example for the private sector.

“There was clearly a breach of Medicare’s data and, in line with the impending data breach disclosure laws, the government should have been on the front foot and disclosed the breach,” he said.

“We need to promote an acceptance around disclosure and a much harsher and more descript penalty regime to help society take a pre-emptive stand against cybercrime.”