Millions of Australians' highly sensitive data is being openly traded online, including logins for personal Australian Tax Office accounts, medical and personal data of thousands of NDIS recipients, and confidential information of an alleged assault on a Victorian school student by their teacher.
An ABC investigation discovered large chunks of previously unreported confidential material widely available on the internet, ranging from sensitive legal contracts to individual MyGov account login details being sold for as little as $1 USD.
The massive amount of newly discovered data confirms that the high-profile hacks of Medibank and Optus represent only a small portion of the confidential Australian records recently stolen by cybercriminals.
In the last few months, hackers have exposed the personal information of at least 12 million Australians. It has also been revealed that many of those affected only discovered they had been victims of data theft after being contacted by the ABC.
They claimed that the organizations in charge of protecting their data either failed to notify them adequately or misled them about the severity of the breach. One of the main hubs where stolen data is published is a Google-searchable forum that only appeared eight months ago and has soared in popularity, much to the chagrin of global cyber intelligence experts.
Anonymous users on the forum and similar websites frequently sell stolen databases containing the personal information of millions of Australians. Others were seen offering generous rewards to those brave enough to go after specific targets, such as one post seeking classified intelligence on Australian submarine development.
CyberCX director of cyber intelligence Katherine Mansted stated, "There's a criminal's cornucopia of information available on the clear web, which is the web that's indexed by Google, as well as in the dark web. There's a very low barrier of entry for criminals … and often what we see with foreign government espionage or cyber programs — they are not above buying tools or buying information from criminals either."
In one case, law student Zac's medical information was stolen in one of Australia's most heinous cyber breaches and freely published by someone with no discernible motive. Zac suffers from a rare neuromuscular disorder that has rendered him unable to walk and prone to extreme weakness and fatigue. The ABC has agreed not to use his full name because he is concerned that the stolen information could be used to track him down.
His sensitive personal data was stolen in May during a cyber attack on CTARS, a company that provides the National Disability Insurance Scheme with a cloud-based client management system (NDIS). The NDIA, which is in charge of the NDIS, told a Senate committee that it had confirmed with CTARS that all 9,800 affected participants had been notified.
However, ABC Investigations has determined that this is not the case. The ABC interviewed 20 victims of the breach, and all but one — who later discovered a notice in her junk mail — said they had not received a notification or had even heard of the hack. The ABC confirmed that the leaked CTARS database contained Medicare numbers, medical information, tax file numbers, prescription records, mental health diagnoses, welfare checks, and observations about high-risk behavior such as eating disorders, self-harm, and suicide attempts.
"It's really, really violating," said Zac, whose leaked data included severe allergy listings for common food and medicine. "I may not like to think of myself as vulnerable … but I guess I am quite vulnerable, particularly living alone. Allergy records, things that are really sensitive, [are kept] private between me and my doctor and no one else but the people who support me. That's not the sort of information that you want getting into the wrong hands, particularly when ... you don't have a lot of people around you to advocate for you."
The CTARS database is just one of many thousands being traded on the ever-expanding black market for cybercrime. These postings appear on both the clear web, which is accessible through standard web browsers, and the dark web, which requires special software to access. The low prices demanded for confidential data demonstrate the magnitude of the problem.
ABC Investigations discovered users selling personal information and log-in credentials to individual Australian accounts such as MyGov, the ATO, and Virgin Money for as little as $1 to $10 USD.
Two-factor authentication is developed into MyGov and ATO services, which protects accounts with compromised usernames and passwords, but those same login details could be utilized to circumvent less-secure services.
A cyber intelligence expert demonstrated to the ABC a popular hackers forum where remote access to an Australian manufacturing company was auctioned off for up to $500. He refused to name the company. According to Ms. Mansted of CyberCX, the "black economy" in stolen data and hacking services is the world's third-largest economy, trailing only the US and Chinese GDP.
"The cost of buying a person's personal information or buying access to hack into a corporation, that's actually declining over time, because there is so much information and so much data out there," said Ms. Mansted.
Cyber threat investigator Paul Nevin monitors online forums where hundreds of Australians' login data are traded each week.
"The volume of them was staggering to me," said Mr. Nevin, whose company Cybermerc runs surveillance on malicious actors and trains Australian defense officials.
"In the past, we'd see small scatterings of accounts but now, this whole marketplace has been commoditized and fully automated. The development of that capability has only been around for a few years but it shows you just how successful these actors are at what they do."
Private school information has been leaked
The cyber attack on Medibank last month by the Russian criminal group REvil demonstrated the devastation that cyber crime can cause.
After REvil obtained the data of 9.7 million current and former customers and published highly sensitive medical info online, the country's largest health insurer is now encountering a possible class action lawsuit. Russian and Eastern European criminal groups host sites on the dark web where they publish ransom threats and later leak databases if the ransom is not paid.
The groups conduct research on their targets in order to inflict the most damage. Victims include multinational corporations such as Thales and Accenture, as well as Australian schools.
The Kilvington Grammar School community in Melbourne is reeling after a prolific ransomware gang, Lockbit 3.0, leaked more than 1,000 current and former students' personal data in October. The private school notified parents via email, including one on November 2, which stated that an "unknown third party has published a limited amount of data taken from our systems."
According to correspondence sent to parents, this "sensitive information" included contact information for parents, Medicare details, health information such as allergies, and some credit card information. The cache of information actually published by Lockbit 3.0, on the other hand, was far more extensive than initially suggested.
According to ABC Investigations, the ransomware group published highly confidential documents containing parents' bank account numbers, legal and debt disputes between the school and families, report cards, and individual test results.
The publication of details about an investigation into a teacher accused of assaulting a child and privileged legal advice about a student's death was the most shocking. Kilvington Grammar has been at the center of a coronial inquest into the death of Lachlan Cook, 16, who died in 2019 after suffering complications from Type 1 diabetes while on a school trip to Vietnam.
Lachlan became critically ill and began vomiting, which was misdiagnosed as gastroenteritis rather than a rare diabetes complication. The coroner has indicated that the death was avoidable because neither the school nor the tour operator, World Challenge, provided specific diabetes care for the teenager.
Lachlan's parents declined to comment, but ABC Investigations understands that they were not notified by the school that sensitive legal documents concerning his death had been stolen and published online.
Other parents whose information was compromised told ABC that they were dissatisfied with the school's failure to explain the scope of the breach.
"That's distressing that this type of data has been accessed," said father of two, Paul Papadopoulos.
"It's absolutely more sensitive [than parents were told] and I think any person would want to have known about it."
Kilvington Grammar did not respond to specific questions about the Cook family tragedy or whether a ransom was demanded or paid in a statement to ABC. Camilla Fiorini, the school's marketing director, admitted that the school's attempt to notify families about the specifics of what personal data was stolen was an "imperfect process."
"We have adopted a conservative approach and contacted all families that may have been impacted," she said.
"We listed — to the best of our abilities — what data had been accessed ... we also suggested additional steps those individuals can consider taking to further protect their information. The school is deeply distressed by this incident and the impact it has had on our community."
Lockbit 3.0 recently targeted a law firm, a wealth management firm for high-net-worth individuals and a major hospitality company in Australia. According to correspondence sent to parents, this "sensitive information" included contact information for parents, Medicare details, health information such as allergies, and some credit card information.
The cache of information actually published by Lockbit 3.0, on the other hand, was far more extensive than initially suggested. According to ABC Investigations, the ransomware group published highly confidential documents containing parents' bank account numbers, legal and debt disputes between the school and families, report cards, and individual test results.
The publication of details about an investigation into a teacher accused of assaulting a child and privileged legal advice about a student's death was the most shocking. Kilvington Grammar has been at the centre of a coronial inquest into the death of Lachlan Cook, 16, who died in 2019 after suffering complications from Type 1 diabetes while on a school trip to Vietnam.
Lachlan became critically ill and began vomiting, which was misdiagnosed as gastroenteritis rather than a rare diabetes complication. The coroner has indicated that the death was avoidable because neither the school nor the tour operator, World Challenge, provided specific diabetes care for the teenager. Lachlan's parents refused to comment, but ABC Investigations understands that they were not notified by the school that sensitive legal documents concerning his death had been stolen and published online.
Other parents whose information was affected told the ABC that they were dissatisfied with the school's failure to explain the scope of the breach.
"That's distressing that this type of data has been accessed," said father of two, Paul Papadopoulos. "It's absolutely more sensitive [than parents were told] and I think any person would want to have known about it."
Kilvington Grammar did not respond to specific questions about the Cook family tragedy or whether a ransom was demanded or paid in a statement to the ABC. Camilla Fiorini, the school's marketing director, admitted that the school's attempt to notify families about the specifics of what personal data was stolen was a "imperfect process."
"We have adopted a conservative approach and contacted all families that may have been impacted," she said. "We listed — to the best of our abilities — what data had been accessed ... we also suggested additional steps those individuals can consider taking to further protect their information. The school is deeply distressed by this incident and the impact it has had on our community."
Lockbit 3.0 recently targeted a law firm, a wealth management firm for high-net-worth individuals, and a major hospitality company in Australia.
Victims are left out in the cold as a result of the blame game
Kilvington Grammar's inability to properly notify victims of data theft is not an isolated incident, and its targeting by a ransomware group is representative of a growing apparatus commoditizing stolen personal information.
Personal data is becoming "increasingly valuable to cybercriminals who see it as the information they can exploit for financial gain," according to Australian Federal Police (AFP) Cybercrime Operations Commander Chris Goldsmid.
"Cybercriminals can now operate at all levels of technical ability and the tools they employ are easily accessible online," he warned.
"We suspect there are many more victims but they are too embarrassed to come forward, or they have not realized what has happened to them is a crime," Commander Goldsmid said.
While authorities and the Federal Government have warned Medibank customers to be on the lookout for identity thieves, many other Australians are completely unaware they are victims.
All government agencies, organizations that hold health information, and businesses with an annual revenue of more than $3 million are required by the Privacy Act to notify individuals when their data has been breached if it is deemed "likely to cause serious harm."
After CTARS was hacked in May, the company issued a statement on its website about the breach but delegated responsibility for informing NDIS recipients to 67 individual service providers affected by the breach. When ABC Investigations asked CTARS why many of the impacted NDIS recipients had not been notified, it stated that the processes were best handled by each provider.
"The OAIC [Office of the Australian Information Commissioner] suggests that notifications are usually best received from the organization who has a relationship with impacted individuals — in this case, the service providers," a CTARS spokesperson said.
"CTARS worked extensively to support the service providers in being able to ... bring the notification to their clients' attention."
However, the NDIA told the ABC this responsibility lay not with those individual providers, but with CTARS.
"The Agency's engagement with CTARS following the breach indicated that CTARS was fulfilling all its obligations under the Privacy Act in relation to the breach," an NDIA spokesperson said.
"The Agency has reinforced with CTARS its obligation to inform users of their services."
This has provided little comfort to Zac and other CTARS victims whose personal information may never be erased from the internet.
"It's infuriating, it's shocking and it's disturbing," said Zac.
"It makes me really angry to know that multiple government agencies and these private support companies, who I would have thought would be duty bound to hold my best interests at heart … especially when my safety is at risk … that they at no level attempted to get in contact with me and assist me in protecting my information."
Zac's former service provider, Southern Cross Support Services, did not respond to the ABC's questions.
Karen Heath was a victim of another hack published on the same forum as the CTARS data.
In the last month, the Victorian woman has been the victim of two hacks, one of Optus customer data and the other of confidential information stored by MyDeal, which is owned by retail giant Woolworths Group. Woolworths told the ABC that since the MyDeal hack, it has "enhanced" its security and privacy practises, and it "unreservedly apologize[d] for the considerable concern the MyDeal breach has caused."
But Ms. Heath stays anxious.
"You feel a bit helpless [and] you get worried about it," Ms. Heath said.
She further added, "I don't even know that I'll shop at Woolworths again ... they own MyDeal. They have insurance companies, they have all sorts of things. So where does it end?"
