Cyber black market selling hacked ATO and MyGov logins shows Medibank and Optus only tip of iceberg
The highly sensitive information of millions of Australians including logins for personal Australian Tax Office accounts, medical and personal data of thousands of NDIS recipients, and confidential details of an alleged assault of a Victorian school student by their teacher is among terabytes of hacked data being openly traded online.
An ABC investigation has identified large swathes of previously unreported confidential material that is widely available on the internet, ranging from sensitive legal contracts to the login details of individual MyGov accounts, which are being sold for as little as $1 USD.
The huge volume of newly identified information confirms the high-profile hacks of Medibank and Optus represent just a fraction of the confidential Australian records recently stolen by cyber criminals.
At least 12 million Australians have had their data exposed by hackers in recent months.
It can also be revealed many of those impacted learnt they were victims of data theft only after being contacted by the ABC.
They said they were either not adequately notified by the organisations responsible for securing their data, or were misled as to the gravity of the breach.
One of the main hubs where stolen data is published is a forum easily discoverable through Google, which only appeared eight months ago and has soared in popularity — much to the alarm of global cyber intelligence experts.
Anonymous users on the forum and similar websites regularly hawk stolen databases collectively containing millions of Australians' personal information.
Others were seen offering generous incentives to those daring enough to go after specific targets, such as one post seeking classified intelligence on the development of Australian submarines.
"There's a criminal's cornucopia of information available on the clear web, which is the web that's indexed by Google, as well as in the dark web," said CyberCX director of cyber intelligence Katherine Mansted.
"There's a very low barrier of entry for criminals … and often what we see with foreign government espionage or cyber programs — they're not above buying tools or buying information from criminals either."
In one case, law student Zac's medical information, pilfered in one of Australia's most troubling cyber breaches, was freely published by someone without a clear motive.
Zac has a rare neuromuscular disorder which has left him unable to walk and prone to severe weakness and fatigue. The ABC has agreed not to use his full name because he fears the stolen information could be used to locate him.
His sensitive personal data was stolen in May in a cyber attack on CTARS, a company that provides a cloud-based client management system to National Disability Insurance Scheme (NDIS) and NSW out-of-home-care service providers.
The National Disability Insurance Agency (NDIA), which is responsible for the NDIS, told a Senate committee it had confirmed with CTARS that all 9,800 affected participants had been notified.
But ABC Investigations has established this is not the case. The ABC spoke with 20 victims of the breach, all but one — who later found a notice in her junk mail said they had not received a notification or even heard of the hack.
The leaked CTARS database, verified by the ABC, included Medicare numbers, medical information, tax file numbers, prescription records, mental health diagnoses, welfare checks, and observations about high-risk behaviour such as eating disorders, self-harm
and suicide attempts.
"It's really, really violating," said Zac, whose leaked data included severe allergy listings for common food and medicine,
"I may not like to think of myself as vulnerable but I guess I am quite vulnerable, particularly living alone. Allergy records, things that are really sensitive, [are kept] private between me and my doctor and no one else but the people
who support me. That's not the sort of information that you want getting into the wrong hands, particularly when ... you don't have a lot of people around you to advocate for you."
The CTARS database is just one of many thousands being traded on the ever-growing cybercrime black market. These postings appear on both the clear web used everyday through common web browsers and on the dark web which requires special software for access.
The scale of the problem is illustrated by the low prices being demanded for confidential data. ABC Investigations found users selling personal information and log-in credentials to individual Australian accounts which included MyGov, the ATO and Virgin Money for between $1 to $10 USD.
MyGov and ATO services are built with two-factor authentication, which protects accounts with compromised usernames and passwords, but those same login details could be used as a means to bypass less-secure services.
One cyber intelligence expert showed the ABC a popular hackers forum, in which remote access to an Australian manufacturing company was auctioned for up to $500. He declined to identify the company.
CyberCX's Ms Mansted said the "black economy" in stolen data and hacking services was by some measures the third largest economy in the world, surpassed only by the US and Chinese GDP.
"The cost of buying a person's personal information or buying access to hack into a corporation, that's actually declining over time, because there is so much information and so much data out there," said Ms Mansted.
Cyber threat investigator Paul Nevin monitors online forums where hundreds of Australians' login data are traded each week.
"The volume of them was staggering to me," said Mr Nevin, whose company Cybermerc runs surveillance on malicious actors and trains Australian defence officials.
"In the past, we'd see small scatterings of accounts but now, this whole marketplace has been commoditised and fully automated.
The development of that capability has only been around for a few years but it shows you just how successful these actors are at what they do."
In Melbourne, the Kilvington Grammar School community is reeling after more than 1,000 current and former students had their personal data leaked in October by a prolific ransomware gang, Lockbit 3.0.
The independent school informed parents via emails, including one on November 2 that stated an "unknown third party has published a limited amount of data taken from our systems".
Correspondence sent to parents indicated this "sensitive information" included contact details of parents, Medicare details and health information such as allergies, as well as some credit card information. However, the cache of information actually published by Lockbit 3.0 was far more extensive than initially suggested.
ABC Investigations can reveal the ransomware group published highly confidential documents containing the bank account numbers of parents, legal and debt disputes between the school and families, report cards, and individual test results.
Most shocking was the publication of details concerning the investigation into a teacher accused of assaulting a child and privileged legal advice about the death of a student.
Kilvington Grammar has been at the centre of a coronial inquest into Lachlan Cook, 16, who died after suffering complications of Type 1 diabetes during a school trip to Vietnam in 2019. Lachlan became critically ill and started vomiting, which was mistaken for gastroenteritis rather than a rare complication of his diabetes.
The coroner has indicated she will find the death was preventable because neither the school nor the tour operator, World Challenge, provided specific care for the teenager's diabetes.
Lachlan's parents declined to comment, but ABC Investigations understands they did not receive notification from the school that sensitive legal documents about his death were stolen and published online.
Other Australian organisations recently targeted by Lockbit 3.0 included a law firm, a wealth management firm for high-net-worth individuals, and a major hospitality company.