In a matter of clicks on the darknet, you can purchase the details Australians use for identification and to access health services in the country.
As reported by The Guardian, a vendor on a large darknet marketplace is illegally selling patient details in a listing dubbed the “Medicare machine.”
The seller claims to get the data by “exploiting a vulnerability” in a government system.
For the price of 0.0087 Bitcoin, or A$28/US$22, buyers can give the name of the patient and their date of birth to the seller, who will provide a Medicare card number, IRN (individual reference number) and expiry date on demand.
These details are not publicly available, and can be used to create fake Medicare cards — which can be used as a secondary form of identification in Australia. It’s not apparent details about doctor visits or any other further medical records are made available to the buyer.
Paul Farrell, a reporter with The Guardian, claimed to be able to purchase his own Medicare details, which turned out to be accurate. Mashable can confirm the listing is still online on the marketplace, which appears to have had 75 purchases since the listing was made available October 2016.
The seller claims on the listing they are “exploiting a vulnerability which has a much more solid foundation which means not only will it be a lot faster and easier for myself, but it will be here to stay. I hope, lol.”
On the listing there are numerous positive reviews, the most recent of which was from Sunday.
“Legend vendor. Details checked perfect,” wrote one buyer. “i bought this as a test . it definitely works. nice one mate,” said another.
Tracking the seller down will be difficult
While the vendor faces prosecution for unlawfully accessing restricted government data, tracking them down could prove to be difficult because it’s a fully digital transaction.
“Most of the crimes we see committed on the darknet, they’re often related to exchange of physical things, such as drugs and firearms,” explained James Martin, a senior lecturer at Macquarie University’s Department of Security Studies and Criminology.
When it comes to physical goods, there’s a weakness, in that these things need to be posted. It leaves a trail of evidence, whether that be postage stamps, fingerprints on a package, or other details that can be used to track the sender down.
“In this case, when you’re just transferring small amounts of data, then that becomes very tricky,” Martin added.
Authorities could possibly track down the vendor by analysing the blockchain in Bitcoin, which records transactions. It has been done successfully in Denmark, which led to the prosecution of darknet drug traders earlier this year. Whether Australian authorities have the capacity do so, is another question.
Nevertheless, the fact that personal details on a protected database are seemingly so easy to extract and sell is worrying, especially considering Australia’s metadata retention laws.
“It’s an interesting new type of data crime that we’re looking at here,” Martin said.
“Imagine if you’re an employee or contractor of any of these departments, just the ability to access any sensitive information in any job … and then make those details online without being tracked down or being identified, it’s pointing to a very troubling trend in the future.”
Compromised data a ‘great concern’ to authorities
Alan Tudge, Minister for Human Services, said in a statement the claims are “being taken seriously” and the matter would be referred to the Australian Federal Police.
“I have received assurance that the information obtained by the journalist was not sufficient to access any personal health record. The only information claimed to be supplied by the site was the Medicare card number,” he said.
“Any apparent unauthorised access to Medicare card numbers is nevertheless of great concern.”
Tudge could not “comment on cyber operations” but can “confirm that investigations into activities on the darkweb occur continually.”
“The security of personal data is an extremely serious matter. Thorough investigations are conducted whenever claims such as this are made,” he added.