Peter A Clarke

The Office of the Information Commissioner announced today that it was “making inquiries into Medibank.” The ostensible reason was to ensure that it complied with the Notifiable Data Breaches Scheme.  Given the circumstances it had ample power to do an own motion investigation in any event.  Given Medibank’s spluttering initial response to the data breach it is not surprising that this is the basis chosen.

The OIAC media release provides:

The Office of the Australian Information Commissioner (OAIC) is making preliminary inquiries with Medibank following its cyber incident, to ensure compliance with the requirements of the Notifiable Data Breaches (NDB) scheme.

As information is gathered and assessed, the number one priority is ensuring that Medibank customers have information and resources available to take steps to protect themselves from any risk arising as a result of their personal information being compromised.

“This matter is understandably of great concern, given the sensitive information that may be involved,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“Individuals need to be alert to scams and any suspicious or unexpected activity on their personal accounts or devices, and refer to reliable sites such as Scamwatch for guidance.

“We will be working with other government regulators and agencies in relation to the response to the breach.”

Medibank customers should contact 13 23 31 and ahm customers should contact 13 42 46. For more information, see Medibank Cyber Incident.

There are a number of resources that provide information on how individuals can take steps to mitigate the risk from data breaches. Information about responding to a data breach notification is available on our website. Resources are also available at cyber.gov.au.

Under the NDB scheme, organisations covered by the Privacy Act 1988 must notify affected individuals and the OAIC as quickly as possible if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved.

The Information Commissioner published its Annual Report last Wednesday, 19 October.  It makes for sobering reading.  It is not an agency that is thriving.  Innovation AU has undertaken an analysis under the title Struggling privacy watchdog searches for ‘systemic’ changes.  The regulator failed to meet its own deadlines in resolving complaints within a specified time and has suffered an attrition rate of 35%, almost double the public service average of 18%.  Given the sudden and dramatic focus on high profile data breaches the obvious concern is whether it is “match fit”.  To not even meet the generally modest self imposed criteria is concerning because it should have been much more active in enforcing the Privacy Act, a far higher work rate.  The lax state of privacy compliance in Australia for the last two decades, at least, can be at least partly sheeted home to the the Privacy and then Information Commissioner which has been conflict averse.  It has been able to avoid any real scrutiny because the narrative is that it has not been properly funded to do its job and therefore things didn’t get done.  That is an effective but not wholly accurate appreciation of the facts. It was a timid regulator even where the funding was adequate.

The Medibank data breach has taken another turn with the hackers claiming to have taken Medibank customers credit card data according to the Australian’s report Cyber gang says it has Medibank customers’ credit card data as it steps up ransom demands. Unlike many data breaches in America or elswhere in the developed world this breach has acquired a dramatic quality with involvement by politicians and very loud announcements of police and the Australian Signals Directorate.  Whether this will become de rigeour for each large data breach in Australia is a real question.  Hopefully not.

The Australian Article provides:

In a letter to customers – the second in as many days – chief executive David Koczkar apologised “unreservedly” as he revealed the latest demands from the hackers and warned it is the tip of the iceberg.

“The criminal claims to have stolen other information, including data related to credit card security, which has not yet been verified by our investigations,” Mr Koczkar said.

“Our teams are continuing to work around the clock to understand what additional customer data has been affected, and how this will impact them. We expect the number of affected customers to grow as the incident continues.”

Meanwhile Medibank entered a voluntary suspension of ASX trade amid uncertainty over the financial impact of the incident.

The Office of the Australian Information Commissioner (OAIC) has also begun making “preliminary inquiries” with Medibank – which has more than 3.9 million customers – to ensure it complied with data breach and retention laws. Medibank confirmed it holds customer information for up to seven years, and for children up until they are 25.

It comes after the OAIC launched an investigation into a separate cyber attack on Optus and the telco’s handling of customer data – which could lead to civil penalties of up to $2.2 million per breach.

At Medibank, the hackers have already stolen “very specific” customer data, including sensitive health information such as the medical conditions customers have been diagnosed with and treatment they were prescribed.

This could potentially include deeply personal information relating to sexual health, serious diagnoses such as cancer, whether a woman has undergone a termination, and whether a person has been treated for a mental health condition or substance abuse.

Australian Information and Privacy Commissioner Angelene Falk said “this matter is understandably of great concern, given the sensitive information that may be involved”.

“As information is gathered and assessed, the number one priority is ensuring that Medibank customers have information and resources available to take steps to protect themselves from any risk arising as a result of their personal information being compromised,” Ms Falk said.

“We will be working with other government regulators and agencies in relation to the response to the breach.”

Medibank on Monday said there was “no indication that the incident was caused by a (foreign) state-based actor”. But it is still gathering details of the attack as it completes a forensic investigation, with the situation evolving daily.

The hackers warn it will release the personal information of Medibank’s high-profile customer first, unless their demands are met.

“We offer to start negotiations in another case we will start realising our ideas like 1. Selling your Database to third parties 2. But before this we will take 1k most media persons from your database (criteria is: most followers, politicians, actors, bloggers, LGBT activists, drug addictive people, etc). Also we’ve found people with very ­interesting diagnoses. And we’ll email them their information,” the ransom demand stated.

On Thursday Home Affairs Minister Clare O’Neil branded the hack a “dog act” and warned of “irreparable harm to some Australian citizens”.

Australian Federal Police and Australian Signals Directorate officers have been stationed inside Medibank and are working alongside private security firms to determine what was stolen and how the attackers infiltrated the company’s systems.

“We know that our customers, people, and the community want to know what data has been stolen, and how that may affect them,” Mr Koczkar said in his latest letter to customers.

“The criminal has provided a sample of records for 100 policies which we believe has come from our ahm and international student systems. That data includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data.

“This claims data includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures.”

“As we have worked through this cyber incident, Medibank has committed to transparency about what we know, and how that could impact our customers, our people, and the broader community,” Mr Koczkar said.

“We will continue to contact affected customers. Medibank urges our customers to remain vigilant, and encourages them to seek independent advice from trusted sources, including the Australian Cyber Security Centre at cyber.gov.au.”

Medibank disclosed the attack last Thursday, and said in a series of updates that it was yet to find any evidence that customer data was stolen. But that changed on Wednesday, when the company said it had been approached by a hacking group, claiming to have stolen a trove of customer data and was threatening to release it publicly unless the health insurer paid a ransom.

In relation to the Optus hack, which stole the personal information of almost 10 million customers, the telco was referring questions to the Australian Federal Police, saying it did not want to compromise its investigation in catching the cyber criminals.

The Innovation Aus article provides:

Australia’s privacy and information watchdog failed to meet key performance criteria around freedom of information and privacy investigations, as its workload jumped and staff attrition rate doubled the public service average.

The disappointing results from last financial year have led to warnings from the regulator about its resourcing and a call for government agencies to more proactively disclose information to the public.

The Office of the Australian Information Commissioner on Wednesday tabled its annual report, revealing it had achieved less than two thirds of its key performance indicators, blaming several of the misses on an increase in the complexity and volume of its work.

More than a quarter of Freedom of Information (FOI) complaints it handles now take more than a year to be resolved, while the overall average is now 10.5 months.

Last financial year, the regulator, which was without a dedicated FOI commissioner for most of the period, received 215 complaints about actions taken by agencies when handling FOI requests, an increase of 42 per cent compared to 2020–21.

Even though more of the complaints were resolved than the year prior, the increased workload meant the OAIC did not meet its performance goal of finalising 80 per cent of complaints within a year, reaching only 74 per cent.

The OAIC also missed its mark on helping improve other agencies processes for managing FOI requests. It made 33 recommendations to other agencies to improve last year, but only 85 per cent of them were accepted, short of the 90 per cent goal.

It’s unclear which recommendations were rejected by which agencies, but the OAIC advice typically goes to basic FOI governance like employee awareness of obligations under the Act, developing publishing operations manuals, and appointing “information champions” to have oversight of an agency’s compliance.

A dedicated FOI commissioner has been recommended for several years and was endorsed by the previous government last year. It then took nine months to fill the roll, with FOI Commissioner Leo Hardiman only beginning in April.

The regulator did achieve its target for providing a review of FOI decisions by agencies and ministers, finalising 83 per cent of the nearly 1400 Information Commissioner (IC) reviews within a year.

But the regulator is operating without a dedicated Information Commissioner, with Angelene Falk holding the position as well as Privacy Commissioner.

After the OAIC budget was restricted by the Coalition government for years, Ms Falk warned the new Labor government her office was “unable to keep up” with its increasing workload.

When releasing the annual report on Wednesday, Ms Falk publicly reiterated the resource strain remains a “major challenge” to the FOI system.

“While we continually review our processes to create further efficiencies, we are also identifying where systemic improvements can be made in the FOI system,” she said.

“Importantly, proactive publication of information supports timely access to information, reduces the need for members of the community to make FOI applications and minimises FOI processing costs for agencies.”

Attorney General Mark Dreyfus has so far not committed to splitting the Information and Privacy Commissioner roles, saying in August it was still being assessed.

Through its privacy functions, the OAIC is also required to respond to written privacy and information access inquiries by the public. Last financial year it fell well short of a 90 per cent response goal at 73 per cent, blaming staff turnover and increasingly complex enquiries.

A target to finalise 80 per cent of privacy complaints within a year was met, but with a slimmer margin than the year prior.

Fewer of the Commissioner-initiated investigations (CII) into cases where serious risk to privacy has been identified – such as the Clearview AI and 7-Eleven facial recognition cases – were finalised within the OAIC’s target period.

Ms Falk opened seven privacy CIIs and finalised four in the last financial year, both drops on the previous year, with only one finalised within the eight-month goal.

The drop was because of a focus on finalising older investigations, the increase in complexity of investigations and limits on available resources, the annual report said.

Eight privacy CIIs were ongoing into this financial year, with the Optus investigation and a potential CII into the Medibank breach likely to add to the watchdog’s workload.

The engagement of staff at the OAIC fell last financial year to 70 per cent. Obtained through the APS Employee Census, the mark is a measure of the emotional connection and commitment employees have to working for their organisation. Across the APS it was 77 per cent in 2021.

“The OAIC scores were similar to comparable agencies in wellbeing policies and support, while our scores in employee engagement and innovation were marginally lower than similar agencies,” the annual report said.

“The challenging employment market and increased attrition rate are likely to have impacted the results, which were gathered during a period of significant change.”

The attrition rate at the OAIC also increased 18 per cent in a year to 35 per cent in 2021-22. This nearly double the Australian Public Service rate of 18 per cent.

The OAIC said it is addressing this with a more flexible hybrid working environment, development opportunities and more inter-branch and inter-agency secondments.

he Australian reports that the