Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
A cyber security expert says doctors’ personal information and identity documents could be sold on the dark web or used to “buy or prescribe” drugs.
Hundreds of doctors and medical staff received a worrying letter recently warning them that a worryingly large amount of their personal information had been mistakenly exposed online due to a website misconfiguration last month.
According to The Guardian, which broke the story on Wednesday (10 September), 67 doctors from the south-eastern Sydney district and more than 500 medical staff from the Illawarra Shoalhaven district had their data exposed during the incident.
Passports and driver’s licenses were impacted, as well as professional credentials, work histories, registrations, and letters of reference.
One doctor, under conditions of anonymity, described the leak as a “very powerful dataset” that could be easily misused. Petr Novak, chief technical officer at Australian cyber security firm Secolve, agreed.
“Because this wasn’t a major cyber attack or ransomware incident, there may be a tendency to shrug it off as a less serious cyber incident. And yes, it’s unlikely that this data was accessed maliciously, but the individuals involved could be facing a grim prognosis if their data fell into the wrong hands,” Novak told Cyber Daily.
“Personal information, including passports and driver’s licences for more than 500 health professionals, including senior doctors, is an incredibly dangerous dataset. Other than increasing the risk of impersonation, fraud, and future phishing campaigns, this breach is rather unique because it opens the door to the possibility of an attacker using a doctor’s identity to buy or prescribe drugs. That kind of information would also be incredibly valuable if sold on the dark web.”
The incident is a troubling one as it didn’t require the exploitation of a vulnerability or a complex attack chain. It was, in effect, a glaring but no doubt simple mistake.
“In many cases, it’s not malicious intent but stretched resources, overworked staff, and weak processes that let these mistakes slip through. Unlike a major ransomware attack that sets off alarms, a quiet misconfiguration can sit unnoticed for months or years until someone stumbles across it,” Novak said.
“This shows that cyber risk isn’t always about battling external attackers; sometimes it’s about ensuring the basics are done right, and that there are strong checks and balances in place to prevent small errors from snowballing into large breaches.”
Novak compared the NSW Health error with the Optus hack, saying that in both cases, “the root cause wasn’t an advanced, nation-state attack but a basic misconfiguration”.
“For Optus, it was a poorly protected API that allowed unauthorised queries; here, it looks like directory permissions were left open so documents could be indexed and found,” Novak said.
“These are the kinds of ‘low-hanging fruit’ mistakes that attackers love – because they require almost no skill to exploit.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
