
Patient details of 'any Australian' for sale on darknet - badrealam
https://www.theguardian.com/australia-news/2017/jul/04/the-medicare-machine-patient-details-of-any-australian-for-sale-on-darknet
======
NamTaf
_TWO_ file photos of shady hooded figures with obscured faces and glitch art
effects or other digital overlays put over the pic! Truly, this is a very
comprehensive report about hacking indeed.

On a serious note, I'm not at all surprised that my government's screwed up
some sort of online database of private information. We had the famous census
night access issues due to a DDoS and I am just waiting for that data to leak.
It doesn't surprise me whatsoever when our government mismanages IT projects
in particular and I suspect more of this sort of data leak is going to
inevitably happen as a result.

ITifying _all_ of the things isn't necessarily a good idea. Some things are
honestly worth the extra hassle of being left to pen and paper.

~~~
L_226
> We had the famous census night access issues due to a DDoS and I am just
> waiting for that data to leak

That wasn't a DDoS, that was a few million Australians trying to use a poorly
implemented system.

~~~
NamTaf
I thought they blamed a DDoS by unknown parties in addition to the
unexpectedly high load of us all trying to access it?

~~~
SyneRyder
They tried blaming it on that, but it was just incompetence. They didn't even
buy DDoS protection services.

There's more details on the inside story of the Census here:
[https://risky.biz/censusfailupdate/](https://risky.biz/censusfailupdate/)

~~~
lmm
"DDoS protection services" are a racket. Build the thing right and you don't
want or need them.

~~~
ironic_ali
You haven't worked in a govt department have you. In one meeting the BA
Ministry lead fell asleep and actually started snoring. In another, the
ministry infrastructure architect said, "oh, that thing, I've lost the word,
what is it?" \- "a server?".

As an ex antipodean govt contractor, I'm not even kidding. Many other stories
of complete fuckwits who had no right to touch a keyboard, never mind run
things. My conclusion was anyone with any smarts was completely bamboozled by
the abject incompetence and left to the private sector, leaving behind the
above characters. Unbelievable, but true. Saying that, don't believe me, get a
job there and I see for yourself :)

~~~
lmm
Requiring them to buy DDoS protection would be part of the problem, not the
solution.

------
voltagex_
@dang, could you please update the link to the article by the original
journalist.
[https://news.ycombinator.com/item?id=14693998](https://news.ycombinator.com/item?id=14693998)

------
logingone
On a related note, I've recently had two UK banks request more personal
documents from me, and a video, for anti-fraud or anti-laundering, blah, blah
reasons. When, not if, they get hacked, the intruders will have even greater
ability to abuse my identity. Data protection acts are barking up the wrong
tree - what we need are data limitation acts to require corporations to store
as little data as possible.

~~~
tomascot
If they get hacked next time they'll ask you even more info.

------
rmccue
Original story from The Guardian: [https://www.theguardian.com/australia-
news/2017/jul/04/the-m...](https://www.theguardian.com/australia-
news/2017/jul/04/the-medicare-machine-patient-details-of-any-australian-for-
sale-on-darknet)

------
lazyasciiart
Wait, this is _75 records_? What kind of leak is that? Seems far more likely
to be one user accessing data over an insecure network and having that session
captured, or similar one-instance leak. But on the other hand...what are the
odds this journalist was one of a random 75 records?

~~~
nthcolumn
Given certain details they were performing lookups on demand for a price. This
does not suggest server ingress, it implies lack of bulk exfil. Access to a
logged-in authenticated session. Nothing like Google/Royal Free Hospital
heist.

------
3uh5weutwehow
My bet is it is a compromised client certificate from a doctor or hospital.

The authorities will query the audit logs to determine who accessed the
journalists record and revoke the cert.

The log will show the other leaked records, which the authorities will report
to the victims.

The investigation into how those records were leaked will land several people
in jail, as it is easily traceable to the credential.

Bad idea, darknet vendor! Selling data this traceable is sure to get you v&

~~~
technion
You are implying that they have such logs. I'm fairly sure you will find they
do not.

------
waihtis
Anyone have any feasible monetization schemes for personal healthcare data?

~~~
nomercy400
Advertising? "Buy medicine X now because it's much better than medicine Y for
your condition". Also, insurance companies like to know what you have. If they
secretly have your personal healthcare data, they could do a more focused
'sampling'.

~~~
glastra
I don't think medical data, other than information that is actually directly
printed on a card, is obtained or sold.

------
Untit1ed
Original article written by the reporter who actually did the original
research: [https://www.theguardian.com/australia-
news/2017/jul/04/the-m...](https://www.theguardian.com/australia-
news/2017/jul/04/the-medicare-machine-patient-details-of-any-australian-for-
sale-on-darknet)

~~~
dang
Ok, we'll change to that from
[http://www.news.com.au/technology/online/security/hackers-
ar...](http://www.news.com.au/technology/online/security/hackers-are-offering-
to-sell-the-medicare-details-of-australians-on-the-dark-web-government-
confirms/news-story/c475b1cbc963648c191a1eaceba4b12b).

