The Australian Federal Police (AFP) has this morning announced the expansion of its Operation to protect Medibank Private customers whose personal information has been unlawfully released online by ransomware criminals.
The AFP is aware that distressing and very personal information has been released on the dark web and has immediately taken measures, including covert techniques, to identify further criminal activity, it said in a statement.
Investigators within the AFP’s Cyber Command are working with public and private sector agencies to scour the internet and known criminal online sites to identify those who are buying or selling personal identification information.
It is an offence to buy stolen information online, which could include a penalty of up to 10 years’ imprisonment. It is also an offence to blackmail or menace customers, the AFP said.
Operation Guardian, a joint initiative with state and territory police set up in September to protect more than 10,000 customers whose identification credentials were unlawfully released online under the Optus data breach, will now extend to Medibank Private customers.
A Sydney man yesterday pleaded guilty to trying to blackmail Optus customers after he was charged by the AFP.
AFP Assistant Commissioner Cyber Command Justine Gough said the criminal or criminal groups behind this attack may be offshore but that would not deter the AFP.
“We have significant powers, determination and access to international law enforcement networks to help investigate this breach,” she said.
“This is not just an attack on an Australian business. Law enforcement agencies across the globe know this a crime type that is borderless and requires evidence and capabilities to be shared.
“It is an offence to buy stolen data, which could be used for financial crimes.
“Just as importantly, the AFP is aware that the unlawful release of private health information can be distressing and embarrassing for some of those affected by the Medibank data breach.
“To the customers impacted by this latest breach, please do not be embarrassed to contact police through ReportCyber if a person contacts you online, by phone or by SMS threatening to release your data unless payment is made.
“Blackmail is an offence and those who misuse stolen personal information for financial gain face a penalty of up to 10 years’ imprisonment.”
Commander Gough said Operation Guardian will be actively monitoring the clear, dark and deep web for the sale and distribution of Medibank Private and Optus data.
“Law enforcement will take swift action against anyone attempting to benefit, exploit or commit criminal offences using stolen Medibank Private data.”
She said just downloading or assessing stolen Medibank Private data may constitute a criminal offence.
“As a force multiplier, we use the powers and authorities of all of our agencies to disrupt the sale and distribution of the unlawfully-obtained data.”
The public are encouraged to:
- Look out for any suspicious or unexpected activity across your online accounts, including your telco, bank and utilities accounts. Make sure to report any suspicious activity in your bank account immediately to your financial institution;
- Do not click on any links in any email or SMS claiming to be from Optus or Medibank Private;
- If someone calls claiming to be from Optus, Medibank Private, police, bank or another organisation and offers to help you with the data breach, consider hanging up and contacting the organisation on its official contact details. This can be a scammer calling using your personal information.
- Never click on any links that look suspicious and never provide your passwords, your bank’s one time pins, or any personal or financial information, and.
- If people call posing as a credible organisation and request access to your computer, always say no.
If you believe you are a victim of Cybercrime, report it to ReportCyber at cyber.gov.au.
