Optus confirms 14,900 active Medicare details exposed in data breach

Thousands of Medicare ID numbers have been exposed as a result of the optus data breach, the company has confirmed.

The company said it has identified 14,900 valid card numbers that have been exposed.

“All of the customers who have a Medicare card that is not expired will be contacted within 24 hours,” Optus said.

Medicare cards (AFP)
Thousands of Medicare ID numbers have been exposed as a result of the Optus data breach. (AFP)

A further 22,000 expired card numbers have also been exposed. The company said it will contact those customers directly “out of an abundance of caution”.

Optus said it is in contact with Services Australia following the data breach.

”Please be assured that people cannot access your Medicare details with just your Medicare number,” Optus said.

“If you are concerned or have been affected, you can replace your Medicare card as advised by Services Australia.”

Earlier today, the federal government said it is considering issuing the new Medicare cards for the millions of Australians who had their private details leaked as part of the data breach.

The government could re-issue millions of Medicare cards after the Optus data breach. (AAP)

Health Minister Mark Butler told the ABC today the government was only alerted Medicare numbers were part of the massive leak when the apparent culprit, who later stopped his extortion bid, posted 10,000 new personal records online yesterday.

“We are very concerned about the loss of the data and are hard to deal with the consequences, but we are particularly concerned we were not working earlier and consumers were not notified earlier about the breach of Medicare data as well,” he said.

Butler said the government was also considering fast-tracking passport replacements.

‘I don’t trust criminals’

Meanwhile, a cyber-security expert has warned that to pledge from the apparent hacker all stolen data had been destroyed should not be trusted.

In a bizarre sequence of events yesterday, an anonymous online poster claimed to be responsible for the data breach that saw the information of almost 10 million Australians compromised.

The poster said they had released the personal data of the first 10,200 people, and would continue doing so until their ransom demand was met.

Optus could have done more to prevent a data breach, one expert has said. (AP)

They also claimed to have destroyed the only copies of the stolen personal information, which included drivers license, passport, and Medicare numbers.

But Alastair MacGibbon from CyberCX said he was skeptical of the sincerity.

“I don’t believe it. I don’t trust criminals,” he told Today.

“That means this data is still out there. Can’t put it back in that bottle.”

The follow up post from an anonymous account claiming responsibility for the Optus hack, in which it apologises for the attack. (Supplied)

The identity of the hacker or hackers has not been confirmed, but MacGibbon said the consensus inside the cyber-security community was that it was not a “sophisticated” attack that led to the Optus breach.

He said this put the onus on Optus.

“The size of this data breach, up to 10 million Australians affected, is unprecedented here in this country,” he said.

“So, of course, more could have been done.”

Optus customers are advised to take a number of steps to protect their identity online. (Graphic: Channing Young)

But he warned that improving cyber-security could be a complex issue.

“It’s not just about privacy laws. It’s also about how you configure your technology,” he said.

“A lot of what we do is about risk management. It isn’t binary, secure or insecure.”

He said people could not expect data protection to be bullet-proof.

Scammer’s plot brought undone by several glaring mistakes in text message

“If it was negligent, then Optus will pay the price,” MacGibbon said.

“But even the best defenses can be overwhelmed from time-to-time, particularly by nation states and sometimes by sophisticated criminals.

“The unfortunate thing this week, is that by all accounts, this was not a sophisticated breach.”

Leave a Comment