• Current Related Scam Activity 

    • Be aware that just because you receive a scam call, that does not mean that the scammer has your data and knows you were impacted by the Medibank Data Breach. Scammers will be randomly calling, emailing and messaging numbers knowing that many of these will reach individuals impacted by the Data Breach.

      Medibank Impersonation Scam

      IDCARE is aware of Medibank being impersonated in phishing texts, emails and phone calls. You may be contacted by scammers claiming to be from Medibank asking you to verify your details or offering a discount or incident response service in relation to the data breach.

      myGov Impersonation Scam

      IDCARE is aware of a myGov impersonation text message scam requesting you to update your details.

      Don’t click on the link! Always contact organisations independently via verified means. Australian Government agencies will never send you a link to login pages via SMS or email. Emails with hyperlinks will only be sent to your myGov inbox, not your personal email account.

      If you clicked the link in an SMS or email, contact myGov immediately via:

      • myGov Scams and Identity Theft Help Desk - 1800 941 126 Monday to Friday 8am to 5pm AEST.
      • and refer to  https://www.servicesaustralia.gov.au/what-to-do-if-scam-has-affected-you?context=60271

      IDCARE also recommends logging in to your myGov account to check across all linked accounts:

      • your contact details, including email address and phone number, remain unchanged;
      • multi factor authentication is enabled;
      • your linked services, such as the ATO or Centrelink, remain unchanged. 

      Telecommunications Provider Scam

      IDCARE is aware of other organisations, such as telcos, being impersonated in phishing texts, emails and telephone calls. The scammer will claim that because you were involved in the Medibank/ahm data breach, they are offering discounted services, such as 50% off your next phone bill.

    • Precautionary Measures 

    • You may see an increase in targeted phishing attempts via email, text messaging or telephone calls, where the scammer uses details specific to you. Never click on links in emails or text messages, no matter how legitimate they appear. Do not be pressured to respond, whether it is by email, text message or telephone. Instead, contact the organisation sending the message directly using contact details you know to be correct. For more information on phishing watch IDCARE's what is phishing video here --> https://www.idcare.org/how-to-videos/what-is-phishing.

      Protect your accounts with multifactor authentication, including financial, government, email, and social media accounts. For more information on phishing watch IDCARE's what is multi-factor authentication video here --> https://www.idcare.org/how-to-videos/what-is-multi-factor-authentication.

      Use unique and strong passwords.

      Contact your telecommunications provider/s, utilities providers, superannuation and financial organisations and request additional security is placed on your account.

      Install antivirus on your devices. This will not prevent all phishing attempts or links to fraudulent websites, but will reduce the risks. You will still need to remain vigilant.

      It is always a good idea to regularly review your account details and security settings for any online accounts.  Check that your contact details are correct, and changes have not been made to any linked bank accounts or other services.

    • Full Name and Date of Birth 

    • Potential Risks

      Individually, these are both low risk identity information, however in combination with other information (such as address and phone number) scammers engaging you may appear more legitimate.

       

      Recommendations

      You may see an increase in targeted phishing attempts via email, text messaging or telephone calls, where the scammer uses details specific to you (such as your name and date of birth for “verification”). For more information on phishing watch IDCARE's what is phishing video here --> https://www.idcare.org/how-to-videos/what-is-phishing.

      Never click on links in emails or text messages, no matter how legitimate they appear. Do not be pressured to respond, whether it is by email, text message or telephone. If you want to know whether an organisation tried to get in touch with you, contact the organisation yourself using contact details you know are correct.

      Keep being scam vigilant and stay across the latest scams by regularly visiting idcare.org, connecting with our social media, and subscribing to our free online newsletter Cyber Sushi. Another great resource is Scamwatch that collate lots of information and alerts about scams.

    • Phone Number 

    • Information

      The Phone Number will be the one associated with your Medibank or ahm account. This could be your mobile or a landline/home phone number. 

       

      Potential Risks

      The exposure of a phone number can leave you open to being targeted by spam or scam phone calls.

      These can appear to be from legitimate phone numbers with local area codes.

      They often claim to be an authority or organisation, such as the police, a telecommunication company or a government entity.

      The scam-caller may frame the call with a sense of urgency, either in order to avoid a penalty (such as a payment or fine) or to receive a reward (such as a discount).

      Scammers may send fraudulent SMS messages to the phone number. These may impersonate a legitimate organisation and include a link to a malicious download or scam website.

      For more information on SMS scams please visit IDCARE's fact sheet --> https://www.idcare.org/fact-sheets/sms-scams.

      Recommendations

      Keep being super vigilant about scams, particularly telephone and SMS scams. Having a little bit of information exposed (such as your full name, address, date of birth, or phone number) can make the job of scammers much easier when convincing people about their deception.

      Do not feel pressured to respond to a call or text message. If you think a call may not be legitimate, hang up and call the organisation back using details that you know are correct.  Do not accept that it is the real organisation because the Caller ID shows their correct number or name – these can be “spoofed” or masked to appear to be real.

      Do not download apps or software (such as AnyDesk or TeamViewer), follow technology instructions, or allow remote access to your device to someone who has called you.

      Do not click on links in text messages. Instead, contact the organisation using details you know are correct.

    • Email Address 

    • Information

      The Email Address will be the one associated with your Medibank or ahm account.

       

      Potential Risks

      You may see an increase in email phishing attempts, particularly from scammers claiming to be from Medibank or ahm. These emails may include malicious attachments, links to fake websites or may download malware onto your device. They may encourage you to update or verify your details or to access a reimbursement via a link. IDCARE has already received reports from individuals who have received phishing emails purporting to be from Medibank/ahm.

      There is also the risk that your email address may be “spoofed” so that it appears to the recipients that the email came from you. If you used a business email to engage with Medibank/ahm (eg. johnsmith@businessname.com), there is the potential for a scammer to spoof that email address, and attempt to engage with the business to change your personal details, such as your bank account details for your pay.

      Additionally, there is the potential for extortion attempts, whereby a criminal claims to have access to your information and threatens to release it unless you provide payment. It is important not to comply with such requests, no matter how convincing they may appear.

      You can report extortion attempts to the police and or ReportCyber.

       

      Recommendations

      Continue being super vigilant about scams and phishing emails. Having a little bit of information exposed (such as your full name, date of birth, email address or phone number) can make the job of scammers much easier when convincing people about their deception.

      Beware of phishing emails, including those asking to update billing details, pay invoices or apply for reimbursements.

      Never click on links in unsolicited or unexpected emails, no matter how legitimate they appear.

      Do not be pressured to respond to emails. Instead, contact the organisation directly using contact details you know to be correct.

      Use an up-to-date antivirus application that includes email protection and scanning.

      Advise your place of employment that you have been affected by the Medibank/ahm data breach, and that you would like additional security measures to be put in place before any changes are made to your personal details (including email, address, phone number, banking and superannuation details).

    • Physical Address 

    • Information

      The physical address will be the one associated with your Medibank or ahm account.

       

      Potential Risks

      For most individuals, physical addresses are considered low risk identity attributes. However, in combination with other attributes (such as your full name, date of birth, email address and phone number) scammers engaging you via email, SMS or telephone may appear more legitimate.

      Reports made to IDCARE of cyber criminals physically attending the address are very low. 

      You may have additional concerns regarding the exposure of your address if you are a survivor of domestic violence, due to your employment, or for other reasons. If you are in immediate danger, contact the police (in Australia call 000, in New Zealand call 111).

      If you are considering increasing your security, be sure to engage a recognised member of the Australian Security Industry Association Limited (ASIAL) or the New Zealand Security Association (NZSA).

       

      Recommendations

      You may see an increase in targeted phishing attempts via email, text messaging or telephone calls, where the scammer uses details specific to you, such as your full name, date of birth and address.

      Do not interact with or engage with callers or emails claiming legitimacy because they know your address.

      For more information on phishing watch IDCARE's what is phishing video here --> https://www.idcare.org/how-to-videos/what-is-phishing.

      Never click on links in emails or text messages, no matter how legitimate they appear.

      Do not be pressured to respond, whether it is by email, text message or by telephone. If you want to know whether an organisation tried to get in touch with you, contact the organisation yourself using contact details you know are correct.

    • Medicare Number 

    • Information

      This data breach event included the breached individuals Medicare number. Please note Medicare numbers were only exposed for ahm customers not Medibank customers.

       

      Risks

      Your Medicare card number may be used as a form of identity verification in order to create accounts in your name, including financial accounts.

      Services Australia has advised that your Medicare account cannot be accessed with only your Medicare card number.

      Your Medicare card number in combination with full contact details, driver licence and/or passport number can place you at higher risk of misuse, such as access to or creation of financial/credit/loan accounts.

       

      Recommendations

      Before requesting a new Medicare card, confirm with ahm that your Medicare card number was compromised.

      IDCARE recommends that if you believe that the exposure of your Medicare card number presents a broader risk to other accounts (such as financial accounts), then you may wish to apply for a completely new card number using the Services Australia MS011 form. More information on this process can be found online at Services Australia. When completing the form, you will need to select “transfer to a new card”, and have everybody who is listed on your current Medicare card complete their details if they also wish to transfer to a new card number.

    • Passport Number 

    • Information

      For international student customers, passport numbers (but not expiry dates) may have also been exposed in the breach.

      Medibank/ahm is communicating to those that have had their passport number compromised and will reimburse any government fees necessary for the renewal of compromised passports.

       

      Potential Risks

      The exposure of a passport number can leave you open to SIM (Subscriber Identity Module) swaps.

      Unauthorised access to financial accounts can occur where the passport number is used as a form of verification.

      New financial accounts (debit accounts, credit cards, personal loans) can be created and this can extend to By-Now-Pay-Later (BNPL) products.

      When a criminal has your passport details, they can create social media accounts in your name and take over existing accounts. They may also establish new utility accounts and apply for rental properties. 

       

      Recommendations

      New Zealand

      For holders of New Zealand passports, the Department of Internal Affairs (DIA) can place a flag on your passport which will alert DIA if an application is made to replace or renew your passport. DIA call centre staff have been unable to confirm with IDCARE if the impacted individual will also be notified of a renewal or replacement attempt.

      According to the DIA, a flag on your passport will not prevent:

      your passport being used for travel, or
      someone from using your passport for credit applications or identification purposes unrelated to international travel
      However, a flag may delay processing of your own application for a replacement or renewal passport. 

      To place a flag, contact DIA online or call 0800 225050.

      If you choose to replace your passport, you can apply for a new passport online. This will automatically cancel your current passport, but an application fee will apply.

      Medibank/ahm is communicating to those that have had their passport number compromised and will reimburse any government fees necessary for the renewal of compromised passports.

       

      Other Countries

      If you are not in your home country, contact your embassy or consulate to discuss the process of replacing your passport.  You can find your nearest embassy or consulate in Australia or New Zealand.

      If you are in your home country, contact the government organisation responsible for issuing passports to request further information regarding replacing your passport.

      Medibank/ahm is communicating to those that have had their passport number compromised and will reimburse any government fees necessary for the renewal of compromised passports.

      Please be advised that your visa or other immigration documents will have been issued using your current passport number. In Australia, you can update your passport details with the Department of Home Affairs. In New Zealand, you can follow the process to transfer your visa to your new passport through Immigration New Zealand.

    • Should be Empty: