Peter A Clarke

On 4 July 2017 the Guardian reported that Medicare card details were being sold on the dark web. As at July 2017 the vendor had sold details of 75 Medicare card details since the previous October.   In May of this year the Guardian reported that Medicare details were still being offered for sale on the darknet.  That should not have been a great surprise.  The personal information available from Medicare details is very valuable in engaging in identity theft and the ability of law enforcement to identify the thieves is often limited.  Even if an identity is established more often than not, by a wide margin, it is almost impossible to arrest that person because he (it is almost always a he) is domiciled in a country with a shaky legal system or with a government which connives in the fraudulent activity.

The ABC reports in Medicare card details of former Australian Federal Police commissioners available on dark web that the personal information of former Australian Federal Police Commissioners, Keelty, Negus and Colman contained in their Medicare details have been sold on the darknet. The fact that the former Commissioners personal information is being sold is no more egregious that the personal information of other individuals.  It is an interesting angle for the story. The key takeaway from the story is that proper security is key.  Once personal information is stolen it is extremely difficult to recover and remediation is a very difficult and expensive process.

The fact that the source of the data leak is not known is a serious concern.  The non answers and stonewalling by the Department of Human Services through its spokesman Hank Jongen is quite disgraceful.  What is even more concerning is the lack of activity by the Information Commissioner.  As with most privacy breaches the Information Commissioner stands mute.

The ABC article provides:

The Medicare card details of three former Australian Federal Police (AFP) commissioners were advertised for sale on a dark web marketplace, a revelation likely to raise significant concerns about the integrity of Medicare card information.

7.30 can reveal that former commissioners Andrew Colvin, Mick Keelty and Tony Negus potentially had their personal details sold on a dark web site.

The availability of Mr Colvin’s data appears to have occurred while he was still commissioner.

The revelations are contained in a cache of documents obtained by 7.30 that outline the efforts the AFP has taken to combat the sale of Medicare card records and other government information on the dark web.

Medicare credentials are valuable to organised crime groups.

They can potentially be used for identification fraud to purchase goods or properties, or obtain fraudulent payments from Medicare.

The targeting of high-profile law enforcement figures raises other concerns that the data could be used to impersonate a public official or gain access to other forms of identification or personal information.

Sale of AFP commissioners’ details ‘very disturbing’ 

In July 2017 when reports first emerged that the Medicare card details of any Australian were available for sale on popular dark web site Alphabay, the AFP initiated Operation Elaphiti to investigate the allegations.

The Department of Human Services is responsible for the integrity of the Medicare card system.

Diary records from a federal agent tasked to the investigation written in July 2019 note there have been “2 sales of Colvin/Negus/Keelty details + more on Alphabay market”.

The officer later wrote “C’s Details compromised”, and that he had been advised to email another AFP team and “they will ascertain privacy & security implication”.

A spokeswoman for the AFP said: “We understand the details were available for sale on the dark web.

“We are not aware whether details were actually sold.”

The specific nature of the sales listings relating to the former police commissioners is unusual.

Dark web sites, which often look like online auction pages, more commonly provide identification details in more general terms, for instance offering templates of fake drivers licences.

In 2017 an independent review into Medicare card access recommended a number of changes to the Department of Human Services.

More than 200,000 people across the country can potentially access Medicare card information for any Australian.

Associate Professor Vanessa Teague at the University of Melbourne’s school of computing systems said the specific reference to police officers’ card details was “very disturbing”, although the motivation of the dark web vendor was unclear.

“I don’t necessarily see it as evidence of particularly malicious activity directed necessarily against those police officers. It could just be showing off,” she said.

Ms Teague said that potentially any prominent person could have their Medicare card details accessed, because the system only required knowledge of a person’s name and date of birth.

“One possible explanation might simply be as a way of advertising, that they could get anybody’s details, which evidently they can,” she said.

Department of Human Services general manager Hank Jongen told 7.30 he was unable to comment on individual cases.

“Since we first became aware of Medicare details being sold on the dark web in 2017, we have taken all necessary steps to ensure the security of Australians’ health information,” Mr Jongen told 7.30.

AFP ‘infiltrating and disrupting’ dark web networks

The AFP’s acting commander of cybercrime operations Chris Goldsmid said the agency was intently focused on investigating a range of criminal activities on dark web sites.

“In terms of cybercrime operations, we see criminals and the people that we’re investigating making a lot of use of dark net forums to sell identification documents, others types of personal information, credit card details, and essentially anything that can be used to facilitate access to accounts and theft of money,” he told 7.30.

The primary use of identification documents such as Medicare card details for criminal groups is to help them build a false identity that could then potentially be used to engage in identity fraud or commit other crimes.

“The use criminals make of those details is really the profit motive, to either directly buy details that can be used to purchase items, or gain access to accounts to steal money,” Mr Goldsmid said.

He outlined a number of challenges around investigating dark web sites, including technical challenges and potentially jurisdictional ones.

He said the AFP had recently conducted an investigation into an alleged fraud syndicate siphoning funds out of superannuation accounts. The syndicate had allegedly purchased identity information on dark web sites as part of its scheme.

Mr Goldsmid did not have operational oversight of the Medicare investigation Operation Elaphiti, but was aware of its details.

“I am aware that three former AFP commissioners may have had their details available on a dark web marketplace for purchase,” he said.

“What this does highlight is that anyone, even former commissioners of the AFP, can be the victim of identity fraud online.”

Medicare ‘vulnerabilities’ likely to attract further attention

The AFP executed several search warrants following the initial reports about the sale of Medicare cards in July 2017, but no charges have been brought in relation to their sale.

In September 2018 the Department of Human Services cyber team advised the AFP that a vendor on another dark web site was selling Medicare card credentials.

The federal agent investigating the case said they were already aware of the issue, but were “reluctant to pursue due to resources”.

Operation Elaphiti was suspended in June 2018.

Government agencies are acutely aware of the intense public scrutiny relating to the security of health related information after significant controversy over the Federal Government’s My Health Record scheme.

In a heading titled Political/Media Considerations, the federal agent noted that “with the changes earlier this year to My Health Record from an opt in to an opt out system, and the ensuing media coverage, vulnerabilities within the Medicare system are highly likely to attract significant political and media interest”.

Ms Teague said she had previously conducted a test that found that Medicare card credentials could potentially be used in conjunction with a “small amount” of additional personal information to potentially access a person’s My Health Record.

Mr Hongen said the department was “confident in the robust monitoring and fraud detection mechanisms we have in place to protect Medicare details”.

He added that the department had implemented 13 out of 14 recommendations from the independent review.

The Alphabay website where at least 160 sales of Medicare card details occurred was brought down by US law enforcement in August 2017.

In similar investigations, the AFP is heavily reliant on the provision of data from the United States and other countries by mutual assistance requests.

But the progress of international requests for data can often be lengthy.

An April 2019 case note outlined the investigation was still waiting for further information from overseas.

“Case to remain in suspension at this time,” the note read.

“Once the material is received the case can be re-activated and investigators can begin assessment of the material to establish further lines of enquiry with the aim to identify the [dark web] vendor.”