November 9, 2022
The Australian Federal Police have expanded Operation Guardian in a bid to protect Medibank Private customers whose personal information has been illegally released online.
A spokesperson said the AFP was aware very personal information had been released on the dark web and had immediately taken measures, including covert techniques, to identify further criminal activity.
Investigators within the AFP’s Cyber Command were working with public and private sector agencies to scour the internet and known criminal online sites to identify people buying or selling personal identification information.
It is an offence to buy stolen information online, which could include a penalty of up to 10 years’ jail. It is also an offence to blackmail or menace customers.
The AFP-led Operation Pallidus, which is focussed on the criminal data breach, is also working with Commonwealth agencies and “Five Eyes” partners (ie. the intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States), including the FBI.
The spokesperson said the AFP had significant powers which should be a chilling reminder to hackers, and those who will attempt to piggyback off them, that they will be relentlessly pursued.
Operation Guardian, a joint initiative with State and Territory police, was set up in September to protect more than 10,000 Optus customers whose credentials were unlawfully released online.
It has now been extended to include Medibank Private customers.
Assistant Commissioner Cyber Command Justine Gough said the criminals behind the latest attack may be offshore but that would not deter the AFP.
“We have significant powers, determination and access to international law enforcement networks to help investigate this breach,” she said.
“This is not just an attack on an Australian business. Law enforcement agencies across the globe know this a crime type that is borderless and requires evidence and capabilities to be shared.
“It is an offence to buy stolen data, which could be used for financial crimes.
“Just as importantly, the AFP is aware that the unlawful release of private health information can be distressing and embarrassing for some of those affected by the Medibank data breach.
“To the customers impacted by this latest breach, please do not be embarrassed to contact police through ReportCyber if a person contacts you online, by phone or by SMS threatening to release your data unless payment is made.
“Blackmail is an offence and those who misuse stolen personal information for financial gain face a penalty of up to 10 years’ imprisonment.
“Operation Guardian will be actively monitoring the clear, dark and deep web for the sale and distribution of Medibank Private and Optus data.
“Law enforcement will take swift action against anyone attempting to benefit, exploit or commit criminal offences using stolen Medibank Private data.
Assistant Commissioner Gough said just downloading or accessing stolen Medibank Private data may constitute a criminal offence.
The public have been encouraged to:
- Look out for any suspicious or unexpected activity across your online accounts, including your telco, bank and utilities accounts. Make sure to report any suspicious activity in your bank account immediately to your financial institution;
- Do not click on any links in any email or SMS claiming to be from Optus or Medibank Private;
- If someone calls claiming to be from Optus, Medibank Private, police, bank or another organisation and offers to help you with the data breach, consider hanging up and contacting the organisation on its official contact details. This can be a scammer calling using your personal information;
- Never click on any links that look suspicious and never provide your passwords, your bank’s one-time pins, or any personal or financial information, and
- If people call posing as a credible organisation and request access to your computer, always say no.
If you believe you have been a victim of Cybercrime, report it at cyber.gov.au
