Cyber black market selling hacked ATO and MyGov logins shows Medibank and Optus only tip of iceberg

Home Politics Cyber black market selling hacked ATO and MyGov logins shows Medibank and Optus only tip of iceberg
Cyber black market selling hacked ATO and MyGov logins shows Medibank and Optus only tip of iceberg

The highly sensitive information of millions of Australians — including logins for personal Australian Tax Office accounts, medical and personal data of thousands of NDIS recipients, and confidential details of an alleged assault of a Victorian school student by their teacher — is among terabytes of hacked data being openly traded online.

An ABC investigation has identified large swathes of previously unreported confidential material that is widely available on the internet, ranging from sensitive legal contracts to the login details of individual MyGov accounts, which are being sold for as little as $1 USD.

The huge volume of newly identified information confirms the high-profile hacks of Medibank and Optus represent just a fraction of the confidential Australian records recently stolen by cyber criminals.

At least 12 million Australians have had their data exposed by hackers in recent months.

It can also be revealed many of those impacted learnt they were victims of data theft only after being contacted by the ABC.

They said they were either not adequately notified by the organisations responsible for securing their data, or were misled as to the gravity of the breach.

A ‘medibank’ logo is seen inside a shopfront with chairs set up like a waiting room
Russian cyber criminals targeted Medibank earlier this year and have drip-fed customer information in a bid to secure a ransom payment.(AAP: Lukas Coch)

One of the main hubs where stolen data is published is a forum easily discoverable through Google, which only appeared eight months ago and has soared in popularity — much to the alarm of global cyber intelligence experts.

Anonymous users on the forum and similar websites regularly hawk stolen databases collectively containing millions of Australians’ personal information.

Others were seen offering generous incentives to those daring enough to go after specific targets, such as one post seeking classified intelligence on the development of Australian submarines.

Aus Submarine Requests
A user offering incentives for classified materials. The ABC could not find evidence of a transaction being made for this request.(Supplied)

“There’s a criminal’s cornucopia of information available on the clear web, which is the web that’s indexed by Google, as well as in the dark web,” said CyberCX director of cyber intelligence Katherine Mansted.

“There’s a very low barrier of entry for criminals … and often what we see with foreign government espionage or cyber programs — they’re not above buying tools or buying information from criminals either.”

In one case, law student Zac’s medical information, pilfered in one of Australia’s most troubling cyber breaches, was freely published by someone without a clear motive.

Zac has a rare neuromuscular disorder which has left him unable to walk and prone to severe weakness and fatigue. The ABC has agreed not to use his full name because he fears the stolen information could be used to locate him.

His sensitive personal data was stolen in May in a cyber attack on CTARS, a company that provides a cloud-based client management system to National Disability Insurance Scheme (NDIS) and NSW out-of-home-care service providers.

optus 'yes' sign on glass fronted office block
Optus customers’ private information was compromised after a cyber attack hit the phone and internet provider.(AAP: Bianca De Marchi)

The National Disability Insurance Agency (NDIA), which is responsible for the NDIS, told a Senate committee it had confirmed with CTARS that all 9,800 affected participants had been notified. 

But ABC Investigations has established this is not the case. The ABC spoke with 20 victims of the breach, all but one — who later found a notice in her junk mail — said they had not received a notification or even heard of the hack.

Leave a Reply

Your email address will not be published.