Medibank data breach…threats to expose personal information and demands for ransom….Why is this news? It happens on a weekly if not daily basis. That is what criminal hackers do. The key is to get companies to properly protect their data
October 21, 2022 |
What do criminals do? They act for profit. Cyber criminals are still just criminals. They steal for monetary gain. Ransomware and just plain demanding ransoms is part of their weaponary. Exposing health and other personal information happens if the crooks think that will get the money they are after.
As the Guardian reports in Medibank says sample of stolen customer data includes details of medical procedures, the data stolen from Medibank includes details of medical procedures. The Australian has an article in a similar vein with Medibank hackers stole data on medical conditions customers and treatment. This shouldn’t be surprising. What is less understandable is how the sensitive health data was commingled with other records? Why was it not properly encrypted? Why wasn’t it siloed?
I have been writing on cyber security and data breaches for so long that I find the breathless quality of Australian media reporting of the Medibank data breach curious. It is as if this is the only and worst data breach involving health records. It isn’t by a long chalk. The Sydney Morning Herald writes of ‘Immense harm’: Federal police investigating threat to sell Australians’ health data. While the Australian enters into policy speculation with Medibank hack sparks call to end companies creating data ‘honeypots’ for hackers. Where the Australian gets it wrong is that under the current Privacy Act collection of personal information should only be for a specific purpose and used for that purpose. The legislation is deeply flawed but if properly enforced action should have been taken against companies who collect and hold onto data because it suits them. The enforcement was weak. It has always been weak. Until now no Government has not much cared.
The key is for companies to take their responsibilities seriously. That means proper regulation and enforcement whereby the cost of non compliance is high. The next issue is to make sure that when there is a data breach it is dealt with methodically and thoroughly and not turned into a cause celebre. It helps not at all if it becomes a political battleground. The company affected has to respond appropriately and quickly and the regulator may need to get involved. There will always be media coverage but it shouldn’t develop a life of its own as seems to be the case with the latest spate of data breaches in Australia. It is always worth remembering that it is a legal issue, complying with the law.
The Australian Financial Review undertakes an analysis and critique of Medibank’s responses so far with Medibank’s ransomware response is a lesson in what not to do. It is replete with talking heads wanting to get their name out as experts prognosticating on this, that or other things relating to the Medibank data breach. Much of it is speculation over analysis. That said the Medibank response has been dreadful, as bad as Optus but in a different way. Going through its media releases has been the privacy equivalent of a slow motion car crash involving a crash test dummy. Whatever data breach response plan it had was sub standard. The first 24 hours should be regarded as the Golden Hours. Getting as much information about the breach, starting on remediation and crafting a notice to the market, the clients, to government and the media is critical. Information to hand will always be incomplete but being as forthcoming
It’s latest update, Medibank cyber incident response, provides:
As we have worked through this cyber incident, Medibank has committed to transparency about what we know, and how that could impact our customers, our people, and the broader community.
This cyber incident is now the subject of an investigation by the Australian Federal Police.
We know that our customers, people, and the community want to know what data has been stolen, and how that may affect them.
Here is what we can currently share
-
- Medibank has been contacted by a criminal claiming to have stolen 200GB of data.
- The criminal has provided a sample of records for 100 policies which we believe has come from our ahm and international student systems.
- That data includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data.
- This claims data includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures.
- The criminal claims to have stolen other information, including data related to credit card security, which has not yet been verified by our investigations.
What we are doing now
Medibank teams continue to work around the clock to understand what additional customer data has been affected, and how this will impact them.
This morning we will commence making direct contact with the affected customers to inform them of this latest development, and to provide support and guidance on what to do next.
We expect the number of affected customers to grow as the incident continues.
We will continue to contact affected customers.
Medibank urges our customers to remain vigilant, and encourages them to seek independent advice from trusted sources, including the Australian Cyber Security Centre at cyber.gov.au
As always, Medibank will never contact customers requesting passwords or other sensitive information.
Customer support
We understand that this development will be upsetting.
To reduce wait times for our customers, we have redeployed our people to support new cyber response hotlines in our call centres.
Medibank and ahm customers can contact us by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or visit the?information page?on the website for any updates.
Our customers can also speak to Medibank’s experienced and qualified mental health professionals 24/7 over the phone to discuss any mental health questions or issues.
Medibank is in discussions with government stakeholders about what else we can do to assist our customers in safeguarding their identities and health information, and we will be in touch with customers about those steps directly.
Ongoing investigation
Medibank will not hesitate to take decisive action to safeguard our customers and our people. Our ongoing response to protect our networks and systems may cause necessary temporary disruptions to our services.
In addition to supporting the Australian Federal Police’s criminal investigation, Medibank is working with specialised cyber security firms, the Australian Cyber Security Centre (ACSC) and government stakeholders.
Medibank will continue to provide regular, transparent updates.
Medibank CEO David Koczkar said
“I unreservedly apologise for this crime which has been perpetrated against our customers, our people, and the broader community.
“I know that many will be disappointed with Medibank and I acknowledge that disappointment.
“This cybercrime is now the subject of an investigation by the Australian Federal Police.
“We will learn from this incident and will share our learnings with others.
“Medibank will remain open and transparent and will continue to provide comprehensive updates as often as we can and need to.”
A trading halt in Medibank shares will continue until further notice.
The Sydney Morning Herald Article provides:
Home Affairs Minister Clare O’Neil has warned Australians are at risk of “immense harm” if the health information allegedly stolen by hackers from Medibank Private, which counts about 4 million customers, becomes public.
The Australian Federal Police have begun an investigation into the ransom demand that Medibank received on Wednesday. It was also obtained by The Sydney Morning Herald and The Age and contains a threat from the hackers to first target 1000 high-profile Australians with their own data as a warning.
O’Neil said all cybersecurity breaches, which typically involve the theft of names or financial information, were very concerning but the Medibank breach appeared worse.
“What we have here is information that’s held by this organisation, which is healthcare information and that just on its own being made public can cause immense harm to Australians,” said O’Neil, who is also the minister for cybersecurity. “And that’s why we are so engaged with this and trying to help Medibank [with] understanding what’s happened so we can repair it.”
That health data could potentially be used to establish whether a person has had a sexually transmitted disease or is seeking help with a mental health issue. However, the hackers’ claims to have that level of data have not been confirmed and paying a ransom does not guarantee it would be returned or deleted, given the inherently criminal nature of the hackers’ actions.
Australia’s cybersecurity and spying agency, the Australian Signals Directorate, are assisting Medibank as are private cybersecurity companies.
As recently as Monday this week Medibank had reassured investors and customers that there was no sign that data had been taken in a breach it detected last week. Medibank chief executive David Koczkar on Wednesday apologised and said the insurer was doing everything it could to protect staff and customers.
O’Neil, who has spoken to Koczkar, said the number of people whose data was stolen is still unknown.
“The facts are still being established,” she said on ABC radio. “And I appreciate it might be hard to understand this from outside of a large organisation. But when you’ve got a complex technological system, it takes a bit of time to understand what has changed in that system in the event of an attack.”
O’Neil said the breach gave the government a strong mandate to toughen Australia’s laws, which it flagged in the wake of the hack on Optus last month in which details on almost 10 million Australians were exposed, but have not been unveiled
“We are going to be under relentless cyberattack, essentially from here on in,” O’Neil said. “And what it means is that we need to do a lot better as a country to make sure that we are doing everything we can within organisations to protect customer data, and also for citizens.”
A spokesman for the Australian Federal Police issued a brief statement when asked about the breach, saying: “The AFP is aware of the matter and has no further comment at this stage.”
The Australian article provides:
Medibank is contacting customers who left the health insurer years ago, saying their data – including their claims history – may have been stolen in a cyber attack, prompting further calls to change laws about how long companies can retain personal information.
A group of hackers has approached Medibank – Australia’s biggest health insurer with more than 3.9 million members – demanding a ransom after it claimed to have stolen 200GB of personal data. The company said the “criminal” had provided a sample of 100 policies, which is understood to have come from its AHM and international student systems.
Medibank said on Thursday that Australian Federal Police were investigating the cyber attack, with data stolen including names, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data.
“This claims data includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures. The criminal claims to have stolen other information, including data related to credit card security, which has not yet been verified by our investigations,” Medibank said.
“We expect the number of affected customers to grow as the incident continues. We understand that this development will be upsetting.”
Some customers were perplexed to reeive an email from Medibank chief executive David Koczkar, informing them of the potential theft, given they had left the insurer years ago.
Medibank says it must retain data for seven years under certain legal requirements, while for children they need to retain their health information until they are 25.
Attributed to the group – but unverified – are threats to sell the information to third parties and to contact Medibank customers directly to authenticate that the data has been accessed. Because Medibank is a health insurer, it collates large amounts of data including on the health of customers.
Mr Koczkar said he “unreservedly apologies for this crime”.
“I know that many will be disappointed with Medibank and I acknowledge that disappointment,” he said.
“We will learn from this incident and will share our learnings with others. Medibank will remain open and transparent and will continue to provide comprehensive updates as often as we can and need to.”
Attorney General Mark Dreyfus says the government is considering introducing new laws to prevent companies holding private information longer than necessary – with the Medibank attack the third breach to hit a major Australian company in the past month.
In a letter to customers, Mr Koczkar said data protection “remains our priority” and it was “working urgently” to establish if the hacking group’s claim is true.
“Based on our ongoing forensic investigation we are treating the matter seriously at this time,” Mr Koczkar said in the letter.
“I understand that this may cause you some concern, and I apologise. I want to assure you that the protection of your data remains our priority.
“Our systems have not been encrypted by ransomware, which means usual activities for customers continue. However, our ongoing response to safeguard our networks and systems may require necessary temporary disruptions to our services.”
But privacy and cyber experts say there are steps companies can take to make sure they aren’t creating a honeypot of data for hackers.
Professor Carsten Rudolph of Monash University’s Department of Software Systems and Cybersecurity said companies needed to consider a two pronged approach – holding not as much personal data and de-identifying that information.
Further, he said customers should be empowered to force the deletion of their personal information.
“We need to move beyond thinking about how we protect critical data sets to a strategy of data minimisation,” Professor Rudolf said.
“For a health insurer, this would mean to critically analyse what data is actually required to deliver the service. Which type of data needs to be readily available? What data can just be used for a shorter process without actually retaining it.
“Further, critical customer health information should either not be stored by an insurer at all, or if it is required, it should not be easy to link it to the customer’s identity.”
Professor Rudolf said personal information could also be encrypted so that the number of data requests could be controlled and stop malicious activities for a complete database is “syphoned off”.
“We should also review data sharing approaches. Currently, data sharing protocols as enabled through the Consumer Data Right framework do not give consumers the option to decide how long their data is stored,” he said.
“It merely requires the company to seek sharing permissions and then the consumer can either give consent or decide for their data not to be shared. Consumers should be empowered to make informed decisions, customise sharing permissions and should be able to enforce the deletion of data.”
Matt Boon, senior director at Australian tech research and advisory firm ADAPT, said Medibank faced a “no-win situation” in dealing with the hacking group and paying a potential ransom.
“Companies that opt to pay ransoms to attackers risk making a rod for their own backs by signalling they’re a soft target, while at the same time, refusing to pay might be seen as the company not making every effort to protect customer data,” Mr Boon said.
“That said, they may have no choice but to bow to immense pressure from the public and the Government to retrieve the information at any cost. Medibank‘s efforts to minimise the potential damage of this breach and communicate to its customers the impact on them in a clear, constructive way in the coming hours and days is vital to maintaining their trust”.
Medibank told the ASX last Thursday that it had detected “unusual activity in its network”, but added there was no evidence any sensitive data had been taken. It repeated that assurance in a statement on Monday before it revealed it had been approached by the hacking group on Wednesday, forcing it into a trading halt.
At the time, it disclosed unusual activity in its AHM and international student policy management systems, which were taken offline as a precaution.
The trading halt will continue until further notice, and the company has advised the cyber security agencies.
The breach would be the third to affect a major local corporation since September. Information relating to almost 10 million Optus customers – including some Medicare numbers – was accessed last month, and the telco has brought in Deloitte to conduct an investigation into its security systems.
The AFR article provides:
The stark contrast between Medibank Private’s response to a ransomware attack and Optus’ response to its cyberattack carries lessons for boards and CEOs at a time of escalating infiltration of corporate computer systems.
Optus CEO Kelly Bayer Rosmarin has copped plenty of criticism for her response to a cyberattack revealed on September 22, but she deserves credit for responding quickly, being the face of the response from day one and putting customers first.
While it is true, there was an unseemly public squabble between Bayer Rosmarin and cyber minister Clare O’Neil over the level of sophistication of the Optus attack, Optus was quick to promise to cover the costs of identity protection.
Contrast that with Koczkar’s response which has resulted in three separate statements, three separate trading halts and no sign of the CEO putting his face to a public campaign to reassure customers.
Chanticleer is told by Medibank Private that when its systems were breached, it gave the green light to a cyber response strategy developed for this type of event.
The crisis response strategy was apparently guided by the principle of being open and honest with customers about all information available to the company.
But instead of admitting there were aspects of the attack that it did not understand or have sufficient information about, Koczkar tried to be too cute.
His initial statement to the ASX on October 13 said: “At this stage there is no evidence that any sensitive data, including customer data, has been accessed.”
This was an attempt to play down the severity of the attack and calm the waters. One wonders if Koczkar was trying to reduce the amount of phone calls from concerned customers to its call centres.
The statement about lack of evidence of loss of customer information was soon found to be a grievous mistake.
When fresh information about the consequences of the attack was received, Medibank put out a second statement on Monday this week.
Once again the language used was designed to reassure customers their data was safe and not in the hands of cyber criminals.
The statement said: “There remains no evidence customer data has been removed from the network – investigation continues.”
But in the next sentence the company said: “Medibank systems detected the unusual activity consistent with the precursors to a ransomware event.
Darren Hopkins, cyber partner at forensic analysis firm McGrathNicol, said this statement about “precursors” meant that Medibank knew a ransomware criminal had been trying to steal customer information.
Koczkar’s preferred message was conveyed to broking analysts on a call on Monday afternoon and this had the desired effect as shown by the following headline on a report by Jefferies analysts Vanessa Thomson and David Stanton: “Cyber Incident. Nothing to See Here”.
Strategy flaws
A report in The Sydney Morning Herald on Thursday showed the flaws in Koczkar’s strategy of repeatedly playing down the severity of the attack.
The article said that hackers claiming to have stolen data from Medibank Private had threatened to sell confidential customer information, including sensitive health conditions and credit card details, unless the insurer pays it a ransom.
The intervention of O’Neil was significant. On Wednesday night, she confirmed a “significant cybersecurity incident has occurred within Medibank”.
O’Neil said she had spoken with Koczkar and said “the facts are continuing to be established”. In other words, Koczkar admitted to the minister he had spent the past week jumping the gun.
The situation deteriorated on Thursday when the company issued a statement saying Medibank had “received messages from a group that wishes to negotiate with the company regarding their alleged removal of customer data”.
“This is a new development and Medibank understands this news will cause concerns for customers and the protection of their data remains our priority,” the statement said.
“Medibank is working urgently to establish if the claim is true, although based on our ongoing forensic investigation we are treating the matter seriously at this time.”
Hopkins says the fact that Medibank is negotiating with threat actors tells you he is either working through data provided to it to prove customer data has been stolen or they are negotiating a price.
He says Medibank’s handling of the attack compares poorly with the Optus response. He said Koczkar should have moved earlier to reveal to customers the potential severity of the attack rather than play it down.
Businesses increasingly choose to pay
The scale of the ransomware problem was made clear in the annual ransomware survey published on Thursday by McGrathNicol.
The research follows on from research conducted in 2021 and in partnership with YouGov. About 500 business owners, partners, directors and C-Suite leaders across Australian businesses with 50 or more employees were surveyed.
“The 2022 research found that almost seven in ten (69 per cent) businesses have now experienced a ransomware attack in the past five years which is a significant increase from 31 percent in 2021,” the report said.
About 80 per cent of businesses chose to pay the ransom and the average cyber ransom amount paid was $1.01 million which is consistent with the prior year.
The average amount that businesses would be willing to pay is higher and has almost doubled to $1,288,608 compared to $682,123 in 2021.
Bayer Rosmarin has been in strong demand because of her searing experiences from the Optus attack.
Last week she made a presentation to leading CEOs at an event organised by the Business Council of Australia under Chatham House rules.
The meeting was attended by BCA CEO Jennifer Westacott, BCA president Tim Reed, Matt Comyn, CEO of Commonwealth Bank of Australia, Karen Dobson, managing director of Dow Australia & New Zealand, Danny Gilbert, managing partner, Gilbert + Tobin, Mike Henry, CEO of BHP, Susan Lloyd-Hurwitz, CEO of Mirvac Group, Rob Scott, CEO of Wesfarmers, Alan Joyce, CEO of Qantas and Alison Kitchen, chairman, KPMG Australia.
The key takeaways from the meeting were: the Commonwealth and the states and territories should advance digital identity legislation and allow businesses to participate in the design of that; and any updated penalties for privacy breaches be aligned with current practices under Australian consumer law so companies who are disclosing get time to fix it; the government designate a single co-ordinator and spokesperson accountable for whole of government responses to serious data breaches.
It is believed Optus recommended the government provide clarity about how existing laws will apply in the context of random ransomware and for a series of structured exercises with governments for responding to attacks.
The Second Australian article provides:
Highly personal medical records have been stolen by the cyber ransomware gang that hacked Medibank’s customer database and is threatening to make the details public.
The “very specific’’ stolen data includes codes for medical conditions customers had been diagnosed with, and what treatment was prescribed.
This could potentially include deeply personal information relating to sexual health, serious diagnoses such as cancer, whether a woman has undergone a termination, and whether a person has been treated for a mental health condition or substance abuse.
The devastating data breach at the nation’s largest private health insurer has been referred to the Australian Federal Police, as the criminals behind the attack ramped up pressure on Medibank by sending the company copies of 100 customers’ stolen records.
The Australian Signals Directorate and private cyber-security firms are also working with Medibank to determine what was stolen and how the attackers infiltrated the company’s systems.
Along with names, ages, addresses, Medicare and other identifying information which would facilitate fraud, the stolen data also includes publicly identifiable codes which, if made public, would identify diagnoses and procedures the individual had undergone. It also includes the locations of where people underwent procedures.
The 100 records are thought to be the tip of the iceberg and while the 200 gigabytes of data stolen was not huge in contemporary terms, the specific nature of the records makes it an extremely concerning breach of privacy.
The full details of the attack – coming less than a month after the records of 10 million Optus customers were stolen in a cyber attack – are yet to be revealed.
Medibank said it had so far identified the breach as affecting customers of its ahm health insurance subsidiary and student services systems.
But with 3.9 million current customers, and Medibank confirming it was required to hold data for seven years, meaning former customers will likely be affected, the scale of the breach is expected to grow significantly.
Chief executive David Koczkar told The Australian the medical data collected was extremely detailed. “The data is very specific to the procedure,” he said. “We know people are going to be very anxious, we absolutely hear that.”
Mr Koczkar said the incident was now subject to an investigation by the AFP, following a ransom demand made by the hackers who threatened to release details on high-profile customers.
“We offer to start negotiations in another case we will start realizing our ideas like 1. Selling your Database to third parties 2. But before this we will take 1k most media persons from your database (criteria is: most followers, politicians, actors, bloggers, LGBT activists, drug addictive people, etc). Also we’ve found people with very interesting diagnoses. And we’ll email them their information,” the ransom demand stated.
Home Affairs Minister Clare O’Neil said while credit cards could be replaced, making “private, personal health information available to the public was a dog act”.
“That is why the toughest and smartest people in the Australian government are working directly with Medibank to try to ensure that this horrendous criminal act does not turn into what could be irreparable harm to some Australian citizens,’’ she said.
“I spoke to the Medibank CEO again for the second time this morning, and we made an agreement that officers from the Australian Federal Police and Australian Signals Directorate will locate themselves within Medibank to make sure we have every possible support to Medibank.”
Opposition cyber security spokesman James Paterson said the attack “has all the hallmarks of a very serious cyber incident”.
“The likelihood that highly sensitive and private medical information of Medibank customers has been stolen is very concerning,’’ he said.
Fergus Hanson, director of the International Cyber Policy Centre at ASPI, said while it seemed likely cyber-criminals were behind the Medibank attack, malicious state actors would also be interested in the information, particularly the private medical records, which could be used to extort or intimidate government officials and members of parliament.
He said the type of data stolen from Medibank was both “very sensitive’’ medical information, and enough personal information to facilitate fraud and identity theft. Mr Hanson said Australia was being specifically targeted by ransomware gangs because many Australian businesses paid ransoms, and law did not specifically outlaw such payments.
“The Australian Cyber Security Centre’s guidelines are not to pay ransoms, but no one has ever been prosecuted for paying a ransom,’’ he said.
The issue was a legal grey zone, with other laws relating to dealing with organised crime potentially coming into play.
The Australian is not suggesting Medibank has paid, or is contemplating, paying a ransom.
“We are in a death spiral situation because we pay, then we get attacked and we pay and it goes on,’’ Mr Hanson said of the Australian cyber threat environment.
“Absolutely, companies pay ransom every day, it’s a very common problem. Government doesn’t respond to threat or extortion so I would be very surprised if they did (pay ransom) – certainly there are no known cases.’’
Ms O’Neil said the formal advice from government was “don’t pay a ransom’’. Asked if it was illegal to do so, she replied “no.’’ “Unfortunately, we are in a waiting game now,’’ she said.
“We’ve got criminal activity on foot. We’ve got essentially a crime being committed before our very eyes and we need to do everything we can to support Medibank.”
She said the second major breach of Australians data in just a month demonstrated “this is the new world for us” and that Australia needed to “do better”.
“We’re living in a digital age and the truth is that cybercrime is rising significantly all over the world,” she said.
“Interpol … have just made an announcement that cybercrime is their No. 1 crime concern. What it tells me is that we need to do better as a country. I think we’re in the order of five years behind where we need to be on our cyber laws and our policies and our approaches.”
Robert Potter, co-founder and CEO of Internet 2.0, said Australian businesses were being targeted every day. “It has been happening this way for years but now it’s been pushed into the public domain, people have a greater awareness,’’ he said.
Mr Potter said a balance needed to be reached between advising people their private data had been stolen, meeting mandatory reporting obligations, but not inadvertently helping criminal cyber gangs, who used publicity to help pressure companies into paying ransom.
“Public accountability is important,’’ he said, but added “so is closing down the global ransomware industry.’’
Mr Potter said media reporting of the specific threat made by the cyber gang attacking Medibank was “less than helpful”.
“We should treat it like a hate crime and not give them airtime. The focus should be on the victims,’’ he said.
Mr Potter will attend a global ransomware summit at the White House next week with Ms O’Neil and Department of Home Affairs secretary Mike Pezzullo.
Medibank has gone into a trading halt while it responds to the attack.
The company is contacting affected customers, has set up hotlines, and has mental health professionals available 24/7 to assist customers. “Medibank is in discussions with government stakeholders about what else we can do to assist our customers in safeguarding their identities and health information, and we will be in touch with customers about those steps directly,’’ it said.
