A confronting report shows that a vendor on the dark web can pull up the full Medicare card details of any Australian on request – and is selling them for around $30 each – indicating a security hole somewhere in the health system.
An investigation from the Guardian Australia details the sales listing on an undisclosed dark web marketplace, in which the vendor claims to be “exploiting a vulnerability” in order to run software that pulls the data. The vendor calls it “the Medicare Machine”.
“Leave the first and last name, and DOB of any Australian citizen, and you will receive their Medicare patient details in full”, the listing says, according to the Guardian, adding that the nature of the security hole being utilised means the vendor will be “here to stay”.
In order to test the veracity of the claims, the Guardian requested the Medicare details of someone on its staff, and confirmed the received details – including the Medicare card number and and personal IRN – were accurate.
Legitimate Medicare card details could be used to create fake cards, which would be handy for criminals in identity theft. The cards could be used in part, for example, to open bank accounts, apply for a passport, get a credit card or start an illegal business.
The information would not be enough, however, to access personal health record information.
The vendor appears to have made at least 75 sales, each one netting him 0.0089 bitcoin, or $29.75 by the current exchange rate.
The Department of Human Services is aware of the report, and minister Alan Tudge said in a statement that the department and the Australian Federal Police were investigating.
Unauthorised access to Medicare numbers, the minister said, was “of great concern”.
“The security of personal data is an extremely serious matter. Thorough investigations are conducted whenever claims such as this are made”, he said.
“The Government has an ongoing commitment to prioritise cyber security and is constantly working to further improve our capability”.