Services Australia has begun a massive data-matching exercise to identify and protect customers whose Medicare credentials were stolen in the Optus data breach incident, with official documents about the probe revealing the agency will now also search for Centrelink Reference Numbers.

The formal notification of the commencement of the data-matching program states Services Australia “will compare the data provided by Optus to Medicare and Centrelink customer records held by the Agency.

“This will assist the agency to identify affected customers and apply proactive security measures to affected customer records.”

According to Optus around 50,000 Medicare numbers were exposed as part of the breach, part of a haul of 2.1 million identity documents that also included driver’s licence and passport details; the latter numbered at 150,000 by the beleaguered telco.

Privacy advocates have called for a right of compensation for victims of breaches.

The notice puts on the official record “the commencement of a data-matching program by Services Australia (the Agency) using information provided by SingTel Optus Pty Limited (Optus) about customers affected by the September 2022 data breach (Optus Data Breach).

The notice says that “where an Agency customer’s Medicare number or Centrelink Reference Number (CRN) was disclosed as part of the Optus Data Breach” that data “to the extent available to Optus, has been provided by Optus” to Services Australia.

More specifically it lists customer data points provided as being:

card number, expiry date and name appearing on Medicare or Centrelink card

customer’s date of birth

customer’s home address

customer’s telephone number.

Services Australia is also conspicuously adhering to privacy and transparency requirements, stating “a protocol document describing this program has been developed in consultation with the Office of the Australian Information Commissioner (OAIC). “

“The Agency adheres to the OAIC Guidelines on data matching in Australian Government administration which includes standards for data matching to protect the privacy of individuals.”

The Mandarin is seeking to clarify whether Optus has provided the entire dump of what is believed to have been exfiltrated or merely those parts that it believes contain Centrelink and Medicare numbers.

Notably, passport details are missing from the gazette, suggesting Foreign Affairs will need to do its own data matching.

Over the weekend, both government service minister Bill Shorten and home affairs and cybersecurity minister Clare O’Neil launched fresh attacks on Optus for not handing over the data more expeditiously.

The matching process should be relatively quick, with Services Australia and Medicare still using heavyweight mainframe infrastructure designed to churn through millions of records through batch processing.

The latest effort also highlights that data matching can have positive uses. The identification of data theft victims uses essentially the same technology and contact processes as robodebt, albeit to a different end.

It is still unclear how many interconnected government systems of record victims will need to update in the event Medicare and Centrelink Reference Numbers need to be re-issued or changed.

