A joint police operation targeting misuse of personal information after high-profile Australian hacks has linked “over 11,000 cybercrime incidents” to the Medibank data breach.
The number is contained in a submission by Victoria Police to a federal cybercrime inquiry and appears to be the first time a measure of fallout from the incident has been disclosed.
It relates to the work of ‘Operation Guardian’, which brings together federal, state and territory police and other organisations to – in the words of the Australian Federal Police (AFP) – “identify, disrupt, charge and prosecute any person seeking to exploit personally identifiable information (PII) obtained from [a] data breach.”
Operation Guardian was initially set up to monitor for misuse of data from the Optus breach in 2022, before being expanded to Medibank (2022), MyDeal (2022), Latitude Financial (2023) and file transfer service GoAnywhere (2023).
It frequently cites a case involving a Sydney man’s attempt to misuse stolen Optus data as a case study of the joint operation’s work.
The new figure specific to the Medibank breach – which affected 9.7 million customers – offers a fresh, if brief, insight into the joint operation’s work, as well as the extent to which exfiltrated data may be exploited.
“Operation Guardian has so far linked over 11,000 cybercrime incidents to the Medibank data breach,” Victoria Police said. [pdf]
It’s not immediately clear if the figure is for Victoria or on a national basis but does provide some indication of the extent of alleged data exploitation.
According to the most recent AFP annual report, Operation Guardian “focuses on matching ReportCyber reports of fraud or identity theft with any relevant PII datasets that have been exposed online.”
ReportCyber is a national online register where members of the public can report a cybercrime incident or vulnerability.
Neither the AFP annual report nor its submission to the cybercrime inquiry discuss Operation Guardian’s work beyond Optus.
Capability boost
Victoria Police used much of its submission to press the case for an expansion of state laws to “search and seize” data from cloud services and other “virtual environments”.
While able to “search and seize cryptocurrency”, courtesy of recent revisions, it lamented not having the same powers for cloud-based data.
“Once legislative frameworks are expanded to better enable search and seizure of data, appropriate tools will be required to ensure electronic capture and production is forensically sound,” it said.
The force suggested it would need substantial data storage of its own to seize terabytes of data per case, and the ability to treat any seized data “so that it can be tendered as evidence”.
“Victoria Police is processing an increasing number of devices with larger amounts of data, creating a significant capacity burden,” it said.
The force said it also needed to build capability to keep pace with rapid change in the technology space generally.
“In many respects, capability requires modern technology and tools, including legislation, to be designed, having regard to the fact that most technology in this space will become obsolete in short time periods,” it said.
The force was also keen to develop capability around cybercrime intelligence.
While it is being offered data that contains potential intelligence, the force said its resources were stretched with just investigating cybercrime reports, and so it did not have capacity to devote to intelligence-gathering and analysis.
To illustrate, Victoria Police said it is dealing with “a disproportionately higher rate of cybercrime relative to the population”; one in every four reports to ReportCyber in 2022-23 related to Victorians.