TWO file photos of shady hooded figures with obscured faces and glitch art effects or other digital overlays put over the pic! Truly, this is a very comprehensive report about hacking indeed.
On a serious note, I'm not at all surprised that my government's screwed up some sort of online database of private information. We had the famous census night access issues due to a DDoS and I am just waiting for that data to leak. It doesn't surprise me whatsoever when our government mismanages IT projects in particular and I suspect more of this sort of data leak is going to inevitably happen as a result.
ITifying all of the things isn't necessarily a good idea. Some things are honestly worth the extra hassle of being left to pen and paper.
If they haven't responded to your satisfaction within 30 days, you can escalate the complaint to the Office of the Australian Information Commissioner.
In a catch-22 move, the DHS complaint form tries to get you to submit your compliant via a MyGov account, but there is a button for submitting without an account, the direct URL being:
Risk Biz has more details [1].. Recommend the podcast!
* IBM and the ABS were offered DDoS prevention services from their upstream provider, NextGen Networks, and said they didn't need it.
* This plan was activated when there was a small-scale attack against the census website.
* Unfortunately another attack hit them from inside Australia. This was a straight up DNS reflection attack with a bit of ICMP thrown in for good measure. It filled up their firewall's state tables. Their solution was to reboot their firewall, which was operating in a pair.
* They hadn't synced the ruleset when they rebooted the firewall so the secondary was essentially operating as a very expensive paperweight. This resulted in a short outage.
You haven't worked in a govt department have you. In one meeting the BA Ministry lead fell asleep and actually started snoring. In another, the ministry infrastructure architect said, "oh, that thing, I've lost the word, what is it?" - "a server?".
As an ex antipodean govt contractor, I'm not even kidding. Many other stories of complete fuckwits who had no right to touch a keyboard, never mind run things. My conclusion was anyone with any smarts was completely bamboozled by the abject incompetence and left to the private sector, leaving behind the above characters. Unbelievable, but true. Saying that, don't believe me, get a job there and I see for yourself :)
My guess, based on what's publicly available, is that this incident is quite possibly just a set of stolen or misused creds for a fairly widely available Medicare card lookup database used by doctors. In which case, this is less of a "cyber security" issue and more an issue with fundamental system design/requirements. But we'll see.
One way to avoid this would be to limit the access of a doctor to patient records. Unless you give permission at a doctor/hospital to have them access your record, they won't be able to do a lookup. Retract the permission automatically/renew it once every X months. This would make stolen/misused creds a much smaller risk.
This is a problem that can be solved in a low tech way using a medical bracelet / necklace for patients who have chronic diseases that doctors might need to know about.
Somebody with sickle cell disease or otherwise transfusion dependent greatly benefits from electronic records, which help minimize antibody reactions (not just ABO and Rh, but Duffy, Kell, Kidd, MNS, etc)
So, this isn't access to patient records as such - it's merely access from a name to a Medicare number.
Additionally, how exactly are you going to get the patient to give permission beforehand? Patients will expect to walk into a medical clinic, hand over their card, and have it all just work.
This is just as likely to be a rogue employee/sysadmin as it is a actual hack. I wouldn't start placing blame until it's determined what the actual cause is.
If it is an employee or sysadmin, they are an idiot.
Its $30 a pop for small volume and large risk. If you have a job with access to this data you should be charging a hell of a lot more. But its enough to get someone in a poorer country with little at risk to create a fake gmail account and use it to bootstrap access to an online self service portal or whatever approach they are using.
Indeed. Assuming they have some kind of logs for legitimate use in place (X was logged in and requested X), how hard would it be to add a bogus record, request it and see who looks it up. If it's accessed and the logs are avoided, there's probably something leaky.
Some blame can be placed up-front, at least potentially. Regardless of the _nature_ of the breach, if the data ought not to have been stored, the fault lies with those who decided to store it.
Privacy has never been a priority for the Australian government - its citizens simply don't have the right.
So there really shouldn't be much surprise over this. More importantly is that this story should educate Australians as to just how much their government values their privacy - sure, this will be hailed as a reason for even more political oversight over technological processes, but only for as long as there isn't a "legitimate corporate customer" for the Australian government, itself, to negotiate with, over ownership and control of this data.
I think it's just with everything. I saw a tweet once that was something like: "If you ask a programmer how long an hour will take they'll tell you 45 minutes"
That's because they only count the part that they're working on. The rest of the Hour project includes standups, testing, documentation, deployment, retrospectives and post-mortems, team happy hours, ...
On a related note, I've recently had two UK banks request more personal documents from me, and a video, for anti-fraud or anti-laundering, blah, blah reasons. When, not if, they get hacked, the intruders will have even greater ability to abuse my identity. Data protection acts are barking up the wrong tree - what we need are data limitation acts to require corporations to store as little data as possible.
Wait, this is 75 records? What kind of leak is that? Seems far more likely to be one user accessing data over an insecure network and having that session captured, or similar one-instance leak. But on the other hand...what are the odds this journalist was one of a random 75 records?
Given certain details they were performing lookups on demand for a price. This does not suggest server ingress, it implies lack of bulk exfil. Access to a logged-in authenticated session. Nothing like Google/Royal Free Hospital heist.
They had successfully sold 75 records as of the date of the journalist's investigation. But that was a demand-side limitation - they apparently could supply any record on request.
Identity theft. Medicare cards are used as a form of official identification by government here and it's photoless. Make a convincing fake with coherent details and I'm sure it'd be a handy stepping stone.
Granted, it's local to AU which makes it small fry on a worldwide data black market scale.
Advertising? "Buy medicine X now because it's much better than medicine Y for your condition".
Also, insurance companies like to know what you have. If they secretly have your personal healthcare data, they could do a more focused 'sampling'.
Blackmail. Some people may not want their health history revealed (say you're having an abortion or being treated for substance abuse). High profile individuals in particular.
Free or subsidised healthcare. If you're an overseas resident living in Australia and can produce a valid medicare number you can get access to a fairly comprehensive range of medical services under somebody else's name. It would be very rare for any medical facility to request ID beyond a medicare card. Actually happens fairly frequently with visiting overseas relatives borrowing family member's medicare cards.
The blast radius is somewhat limited by the 100-point identity check.
Medicare cards are only worth 25 points in the 100-point check. You must present one of the "primary" 70-point documents: birth certificate, birth card, citizenship certificate, current or recently-expired passport, diplomatic or refugee papers.
Then you will need another form of identification, on top of the primary and medicare, to pass 100 points.
I suppose if you have a drivers license + medicare card you could start applying for things like passports or loans. Perhaps you could get a license from someone by selling a second hand car and asking them to hand over a license while they take it for a test drive. It could also be used for blackmail I suppose if you've used a medicare for some sort of service that you want to keep private.
I think you're right though. All the people that make the most money from having health data could just lobby governments for access or just ask their customers for it.
On a serious note, I'm not at all surprised that my government's screwed up some sort of online database of private information. We had the famous census night access issues due to a DDoS and I am just waiting for that data to leak. It doesn't surprise me whatsoever when our government mismanages IT projects in particular and I suspect more of this sort of data leak is going to inevitably happen as a result.
ITifying all of the things isn't necessarily a good idea. Some things are honestly worth the extra hassle of being left to pen and paper.