Cyber black market selling hacked ATO and MyGov logins shows Medibank and Optus only tip of iceberg

The highly sensitive information of millions of Australians — including logins for personal Australian Tax Office accounts, medical and personal data of thousands of NDIS recipients, and confidential details of an alleged assault of a Victorian school student by their teacher — is among terabytes of hacked data being openly traded online.

An ABC investigation has identified large swathes of previously unreported confidential material that is widely available on the internet, ranging from sensitive legal contracts to the login details of individual MyGov accounts, which are being sold for as little as $1 USD.

The huge volume of newly identified information confirms the high-profile hacks of Medibank and Optus represent just a fraction of the confidential Australian records recently stolen by cyber criminals.

At least 12 million Australians have had their data exposed by hackers in recent months.

It can also be revealed many of those impacted learnt they were victims of data theft only after being contacted by the ABC.

They said they were either not adequately notified by the organisations responsible for securing their data, or were misled as to the gravity of the breach.

Russian cyber criminals targeted Medibank earlier this year and have drip-fed customer information in a bid to secure a ransom payment.(AAP: Lukas Coch)

One of the main hubs where stolen data is published is a forum easily discoverable through Google, which only appeared eight months ago and has soared in popularity — much to the alarm of global cyber intelligence experts.

Anonymous users on the forum and similar websites regularly hawk stolen databases collectively containing millions of Australians’ personal information.

Others were seen offering generous incentives to those daring enough to go after specific targets, such as one post seeking classified intelligence on the development of Australian submarines.

Aus Submarine Requests — A user offering incentives for classified materials. The ABC could not find evidence of a transaction being made for this request.(Supplied)

“There’s a criminal’s cornucopia of information available on the clear web, which is the web that’s indexed by Google, as well as in the dark web,” said CyberCX director of cyber intelligence Katherine Mansted.

“There’s a very low barrier of entry for criminals … and often what we see with foreign government espionage or cyber programs — they’re not above buying tools or buying information from criminals either.”

In one case, law student Zac’s medical information, pilfered in one of Australia’s most troubling cyber breaches, was freely published by someone without a clear motive.

Zac has a rare neuromuscular disorder which has left him unable to walk and prone to severe weakness and fatigue. The ABC has agreed not to use his full name because he fears the stolen information could be used to locate him.

His sensitive personal data was stolen in May in a cyber attack on CTARS, a company that provides a cloud-based client management system to National Disability Insurance Scheme (NDIS) and NSW out-of-home-care service providers.

optus 'yes' sign on glass fronted office block — Optus customers’ private information was compromised after a cyber attack hit the phone and internet provider.(AAP: Bianca De Marchi)

The National Disability Insurance Agency (NDIA), which is responsible for the NDIS, told a Senate committee it had confirmed with CTARS that all 9,800 affected participants had been notified.

But ABC Investigations has established this is not the case. The ABC spoke with 20 victims of the breach, all but one — who later found a notice in her junk mail — said they had not received a notification or even heard of the hack.

The leaked CTARS database, verified by the ABC, included Medicare numbers, medical information, tax file numbers, prescription records, mental health diagnoses, welfare checks, and observations about high-risk behaviour such as eating disorders, self-harm and suicide attempts.

“It’s really, really violating,” said Zac, whose leaked data included severe allergy listings for common food and medicine,

“I may not like to think of myself as vulnerable … but I guess I am quite vulnerable, particularly living alone.

“Allergy records, things that are really sensitive, [are kept] private between me and my doctor and no one else but the people who support me.

“That’s not the sort of information that you want getting into the wrong hands, particularly when … you don’t have a lot of people around you to advocate for you.”

The CTARS database is just one of many thousands being traded on the ever-growing cybercrime black market. These postings appear on both the clear web — used everyday through common web browsers — and on the dark web which requires special software for access.

The scale of the problem is illustrated by the low prices being demanded for confidential data.

ABC Investigations found users selling personal information and log-in credentials to individual Australian accounts which included MyGov, the ATO and Virgin Money for between $1 to $10 USD.

MyGov and ATO services are built with two-factor authentication, which protects accounts with compromised usernames and passwords, but those same login details could be used as a means to bypass less-secure services.

Katherine Mansted called on governments to urgently reform processes of notifying victims of cyber attacks.(Supplied)

One cyber intelligence expert showed the ABC a popular hackers forum, in which remote access to an Australian manufacturing company was auctioned for up to $500. He declined to identify the company.

CyberCX’s Ms Mansted said the “black economy” in stolen data and hacking services was by some measures the third largest economy in the world, surpassed only by the US and Chinese GDP.

“The cost of buying a person’s personal information or buying access to hack into a corporation, that’s actually declining over time, because there is so much information and so much data out there,” said Ms Mansted.

Cyber threat investigator Paul Nevin monitors online forums where hundreds of Australians’ login data are traded each week.

“The volume of them was staggering to me,” said Mr Nevin, whose company Cybermerc runs surveillance on malicious actors and trains Australian defence officials.

“In the past, we’d see small scatterings of accounts but now, this whole marketplace has been commoditised and fully automated.

“The development of that capability has only been around for a few years but it shows you just how successful these actors are at what they do.”

Explosive details leaked about private school

The cyber attack on Medibank last month by Russian criminal group REvil brought home the devastation cyber crime can inflict.

The largest health insurer in the country is now facing a possible class action lawsuit after REvil accessed the data of 9.7 million current and former customers, and published highly sensitive medical information online.

Law firms are investigating whether Australia’s largest health insurer, Medibank, is liable for leaving its network vulnerable to hackers.(Reuters: David Gray)

On the dark web, Russian and Eastern European criminal organisations host sites where they post ransom threats and later leak databases if the ransom is not paid.

The groups research their targets to inflict maximum damage. Victims range from global corporations, including defence firm Thales and consulting company Accenture, to Australian schools.

In Melbourne, the Kilvington Grammar School community is reeling after more than 1,000 current and former students had their personal data leaked in October by a prolific ransomware gang, Lockbit 3.0.

The independent school informed parents via emails, including one on November 2 that stated an “unknown third party has published a limited amount of data taken from our systems”.

Kilvington Grammar School was the target of cyber criminals.(ABC News: Sarah Curnow)

Correspondence sent to parents indicated this “sensitive information” included contact details of parents, Medicare details and health information such as allergies, as well as some credit card information.

However, the cache of information actually published by Lockbit 3.0 was far more extensive than initially suggested.

ABC Investigations can reveal the ransomware group published highly confidential documents containing the bank account numbers of parents, legal and debt disputes between the school and families, report cards, and individual test results.

Most shocking was the publication of details concerning the investigation into a teacher accused of assaulting a child and privileged legal advice about the death of a student.

Lachlan Cook died after a school trip to Vietnam in 2019. A coronial inquest is expected to hand down findings next year.(Supplied)

Kilvington Grammar has been at the centre of a coronial inquest into Lachlan Cook, 16, who died after suffering complications of Type 1 diabetes during a school trip to Vietnam in 2019.

Lachlan became critically ill and started vomiting, which was mistaken for gastroenteritis rather than a rare complication of his diabetes.

The coroner has indicated she will find the death was preventable because neither the school nor the tour operator, World Challenge, provided specific care for the teenager’s diabetes.

Lachlan’s parents declined to comment, but ABC Investigations understands they did not receive notification from the school that sensitive legal documents about his death were stolen and published online.

Other parents whose details were compromised told the ABC they were frustrated by the school’s failure to explain the scale of the breach.

“That’s distressing that this type of data has been accessed,” said father of two, Paul Papadopoulos.

“It’s absolutely more sensitive [than parents were told] and I think any person would want to have known about it.”

In a statement to the ABC, Kilvington Grammar did not address specific questions about the Cook family tragedy nor if any ransom was demanded or paid.

The school’s marketing director Camilla Fiorini acknowledged its attempt to notify families of the specifics of what personal data was stolen was an “imperfect process”.

“We have adopted a conservative approach and contacted all families that may have been impacted,” she said.

“We listed — to the best of our abilities — what data had been accessed … we also suggested additional steps those individuals can consider taking to further protect their information.

“The school is deeply distressed by this incident and the impact it has had on our community.”

Other Australian organisations recently targeted by Lockbit 3.0 included a law firm, a wealth management firm for high-net-worth individuals, and a major hospitality company.

Blame game leaves victims out in the cold

The failure of Kilvington Grammar to properly notify the victims of the data-theft is not an isolated case and its targeting by a ransomware group is emblematic of a growing apparatus commoditising stolen personal information.

Australian Federal Police (AFP) Cybercrime Operations Commander Chris Goldsmid, told the ABC personal data was becoming “increasingly valuable to cybercriminals who see it as information they can exploit for financial gain”.

“Cybercriminals can now operate at all levels of technical ability and the tools they employ are easily accessible online,” he warned.

He added the number of cybercrime incidents has risen 13 per cent from the previous financial year, to 67,500 reports — likely a conservative figure.

“We suspect there are many more victims but they are too embarrassed to come forward, or they have not realised what has happened to them is a crime,” Commander Goldsmid said.

While authorities and the Federal Government have warned Medibank customers to be on high-alert for identity thieves, many other Australians are unaware they are victims.

Under the Privacy Act, all government agencies, organisations that hold health information and companies with an annual turnover above $3 million are required to notify individuals when their data has been breached if it is deemed “likely to cause serious harm”.

Home Affairs Minister Clare O’Neil has also discouraged hacked companies from paying ransom demands.(ABC News: Tim Swanston)

After CTARS was hacked in May, the company published a statement about the hack on its website but devolved its responsibility to inform its NDIS recipients to 67 individual service providers affected by the breach.

When ABC Investigations asked CTARS why many of the impacted NDIS recipients were not notified, it said it decided the processes was best handled by each provider.

“The OAIC [Office of the Australian Information Commissioner] suggests that notifications are usually best received from the organisation who has a relationship with impacted individuals — in this case, the service providers,” a CTARS spokesperson said.

“CTARS worked extensively to support the service providers in being able to … bring the notification to their clients’ attention.”

There are still questions around who was responsible for notifying NDIS recipients about the CTARS breach.(AAP: Mick Tsikas)

However, the NDIA told the ABC this responsibility lay not with those individual providers, but with CTARS.

“The Agency’s engagement with CTARS following the breach, indicated that CTARS was fulfilling all its obligations under the Privacy Act in relation to the breach,” an NDIA spokesperson said.

“The Agency has reinforced with CTARS its obligation to inform users of their services.”

This has provided little comfort to Zac and other CTARS victims whose personal information may never be erased from the internet.

“It’s infuriating, it’s shocking and it’s disturbing,” said Zac.

“It makes me really angry to know that multiple government agencies and these private support companies, who I would have thought would be duty bound to hold my best interests at heart … especially when my safety is at risk … that they at no level attempted to get in contact with me and assist me in protecting my information.”

Zac’s former service provider, Southern Cross Support Services, did not respond to the ABC’s questions.

Victorian woman Karen Heath’s personal data was hacked twice last month.(ABC News: Sarah Lawrence)

A victim of another hack published on the same forum as the CTARS data is Karen Heath.

The Victorian woman has been the victim of two hacks in the past month, one of Optus’ customer data and another of confidential information stored by MyDeal, which is owned by retail giant Woolworths Group.

Woolworths told the ABC it has “enhanced” its security and privacy practices operations since the MyDeal hack and it “unreservedly apologise[d] for the considerable concern the MyDeal breach has caused”.