Your Medicare Details Are Up For Sale On The Dark Web, And The Government Had No Idea
But the government still wants us to trust them with personal data.
In case you missed it, your Medicare details are being sold on the dark web, and it’s looking like the government had no idea this was happening until an investigation by The Guardian tipped them off this morning. It’s more than a little awkward, given how long the government just spent assuring people their census data was safe and they totally know what they’re doing when it comes to data security.
The Guardian’s investigation revealed that a seller masquerading as “the Medicare machine” is selling Medicare card details for 0.0089 bitcoin, or $22. All a buyer needs to do is provide the first name, last name and date of birth of an Australian citizen (really not that hard to do given, y’know, Facebook), and the Medicare machine will provide their patient details, including Medicare number and card expiry date.
The upside of this Medicare thing is that now I don't have to worry about losing my card. I can get my deets anytime!
— John Birmingham (@JohnBirmingham) July 3, 2017
While a bunch of people are joking that the dark web service is way more efficient than heading to Medicare, the breach is actually a pretty big deal, and one that the government doesn’t quite seem to have a handle on.
In a statement this morning, Minister for Human Services Alan Tudge confirmed that the government is taking the breach “very seriously”, but have “received assurance that the information obtained by the journalist was not sufficient to access any personal health record”.
Tudge’s response seems to sidestep the real and pressing threat of identity theft, as having access to someone’s Medicare details may be sufficient to impersonate them to any other service that allows a Medicare card to contribute to proof of ID. A Medicare card can currently provide 25 points in the 100 point ID check used by many organisations. Some government ID numbers, like a Unique Student Identifier, can be obtained with a Medicare card alone.
This is a disaster for security. Medicare card is 25/100 points of ID required for identity theft of any Australian https://t.co/YSmSdr3ZZ2
— Alex Cooper (@kuperov) July 4, 2017
The source of the breach is not yet clear, but it’s worth noting that this isn’t the only time the security of Medicare records has come into question of late. In 2014, questions over security were raised when the government announced it would outsource Centrelink and Medicare data storage to a private US firm, in order to cut costs.
2014 was also the year an audit of Australian Government agencies’ cyber security revealed that a number of agencies, including the Department of Human Services, hadn’t implemented a bunch of mandatory information security strategies. While the Department of Human Services subsequently improved its cyber security, data being sold on the dark web often only emerges years after the initial breach.
Anyway, it’s not like Centrelink’s more recent tech endeavours have been any better. See, for example, the robo-debt debacle, which, despite literally killing people, is what Alan Tudge refers to as a system that’s working.
Two confirmed suicides over robodebt. But my bet is there's more fuss over the Medicare leak because it effects the upper class
— Asher Wolf (@Asher_Wolf) July 3, 2017
If we’re learning anything from 2017, please let it be that how governments handle their tech really matters, and our government is way out of its depth.