The federal government is working through whether new Medicare numbers will be given to victims of the Optus breach after it emerged the telco failed to notify that the details were also contained in the stolen dataset.
Health minister Mark Butler on Wednesday said the government was “very concerned” that it took several days to learn about the loss of Medicare card numbers following the original breach notification by Optus.
“We only found out yesterday as I’m advised that included within that data that has been lost is Medicare details,” he said during an interview on ABC Radio.
“We’re very concerned about the loss of this data and working very hard to deal with the consequences of that.
“But particularly concerned that we were not notified earlier, and consumers were not notified earlier about the breach of Medicare data as well.”
Medicare numbers were revealed to have been contained in the stolen data on Tuesday, when the alleged Optus attacker released 10,000 customer records, before appearing to abandon their extortion attempt.
Security researcher Jeremy Kirk, who observed the data before the initial record set was deleted, uncovered references to Medicare card numbers 55 time across the released records.
Medicare cards are one form of identity that individuals can use for a 100-point identity check but, unlike driver’s licences and passports, are considered secondary documentation.
Mr Butler on Wednesday said it was not clear how many Medicare numbers had been compromised yet, but that agencies are looking at whether people would have to have their cards reissued.
“We’ve only been looking at that over the last 24 hours because of the lateness of notification,” he said, adding that the government is also looking at the need for replacement passports.
Services Australia has also sought to assure people that Medicare details cannot be accessed with just your Medicare card number.
Mr Butler joins Home Affairs minister Clare O’Neil in the government’s criticism of Optus for failing to disclose that Medicare numbers were included in the compromised data.
“Medicare numbers were never advised to form part of compromised information from the breach,” Ms O’Neil said on Tuesday.
“Consumers have a right to know exactly what individual personal information has been compromised in Optus’ communications to them. Reports today make this a priority.”
Optus has declined to comment on whether Medicare card numbers were caught up in the data break, citing the ongoing investigation by the Australian Federal Police (AFP).
The AFP is working to investigate the breach with the assistance of Optus and the Australian Signals Directorate, as well as oversees law enforcement, under ‘Operation Hurricane’.
Attorney General Mark Dreyfus on Tuesday said the United States Federal Bureau of Investigations is aiding the investigation, as are state and territory police.
Optus last week revealed a cyberattack had resulted in the disclosure of personal data from as many as 9.8 million current and former customers, including driver’s licences and passport numbers for a “subset of customers”.
O’Neil on Monday said around 2.8 million have had “significant amounts of personal data has been taken” in what she later described as “quite a basic hack” — a characterisation Optus has disputed.
State and territory governments on Tuesday began offering victims of the data breach a replacement driver’s licence at no cost, with Victoria, Queensland and South Australia all waiving the replacement fee. New South Wales will charge the usual fee of $29, but this will be reimbursed by Optus.
New South Wales Digital Government minister Victor Dominello on Tuesday strongly advised those who have had both their driver licence number and card number compromised to apply for a replacement at their own expense.
Mr Dominello has frequently called out the “oversharing” of personal information through physical identity documents in recent years. It is one of the reasons the state government ditched plans for a digital driver’s licence copy solution in 2019.
“When a bank, a car hire company or any other organisation asks you for a copy of your plastic licence – what happens to that paper copy? I imagine in most cases the paper goes into a metal filing cabinet and thereafter potentially into the cloud,” he said on LinkedIn earlier this year.
“The point is – once you have handed over your piece of paper, you have essentially lost control.”
Do you know more? Contact James Riley via Email.