Peter A Clarke

Governments of both persuasion have avoided privacy law reform for over 20 years.  A Coalition Government made the most minimal changes to the Privacy Act in 2001 to cover the private sector. The ALP Government made relatively few amendments in 2012 in response to the mammoth and comprehensive Australian Law Reform Commission Report on privacy handed down in 2008. For the last 6 years the previous Coalition Government sat on another Australian Law Reform Commission Report and then instituted an internal Attorney General’s review of the Privacy Act.

Medibank provided an update yesterday about the cyber attack in October.  The data exfiltrated is more extensive than previously known.  It now includes Medibank customer data of both current and previous customers. The statement provides:

There has been a further development in Medibank’s cybercrime event, which is subject to a criminal investigation by the Australia Federal Police (AFP).

It has become clear that the criminal has taken data that now includes Medibank customer data, in addition to that of ahm and international student customers.

This is a distressing development and Medibank unreservedly apologises to our customers.

Here is what we can update

We have received a series of additional files from the criminal. We have been able to determine that this includes:

• • A copy of the file received last week containing 100 ahm policy records – including personal and health claims data
  • A file of a further 1,000 ahm policy records – including personal and health claims data
  • Files which contain some Medibank and additional ahm and international student customer data

Given the complexity of what we have received, it is too soon to determine the full extent of the customer data that has been stolen. We will continue to analyse what we have received to understand the total number of customers impacted, and specifically which information has been stolen.

We have taken the step of making this announcement as we believe it is important to notify our customers of this development.

As we continue to investigate the scale of this cybercrime, we expect the number of affected customers to grow as this unfolds.

What we are doing now

Medibank is assisting the AFP in its ongoing investigation.

Today we will announce a comprehensive customer support package, which will include:

• • 24/7 mental health and wellbeing support
  • Support for customers who are in uniquely vulnerable positions
  • Access to specialist identity protection advice with IDCARE for all customers

Given the distress this crime is causing our customers we will also defer premium increases for Medibank and ahm customers until 16 January 2023.

Last week, we began directly contacting affected customers to provide support and guidance on what to do next. As a result of today’s update, we will begin contacting current and former customers to recommend steps they could take. We will also begin contacting customers whose data we now know has been compromised.

What should customers do

Medibank urges our customers to remain vigilant to suspicious communications received via email, text or phone call.

We encourage customers to review the advice of:

• • The Australian Cyber Security Centre (ACSC) at cyber.gov.au
  • The Australian Government factsheet which has been developed for affected customers

Medibank and ahm will never contact customers requesting passwords or other sensitive information.

All Medibank and ahm customers can contact our cyber response hotlines by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or visit the?information page?on the website for any updates (https://www.medibank.com.au/health-insurance/info/cyber-security/).

Our customers can also speak to Medibank’s experienced and qualified mental health professionals 24/7 over the phone for advice or support around mental health or wellbeing (1800 644 325).

Ongoing investigation

In addition to supporting the AFP criminal investigation, Medibank continues to work with specialised cyber security firms, the Australian Cyber Security Centre (ACSC) and government stakeholders.

Medibank will continue to provide regular, transparent updates.

Medibank CEO David Koczkar said

“I unreservedly apologise to our customers who have been the victims of this serious crime.

“As we continue to uncover the breadth and gravity of this crime, we recognise that these developments will be distressing for our customers, our people and the community – as it is to me.

“This is a malicious attack that has been committed by criminals with a view of causing maximum fear and damage, especially to the most vulnerable members of our community.

“We continue to work closely with the agencies of the Federal Government, including the ongoing criminal investigation into this matter. We thank them for their ongoing support and assistance.”

For the avoidance of doubt the voluntary suspension continues until the earlier of a release of a further announcement by Medibank and commencement of normal trading on Wednesday 26 October 2022

Medibank, like Optus, has mishandled the initial response to the data breach.  In my experience the opening response is often a complex task, being as communicative as possible without appearing misleading if more information comes to hand later.  That is why it is critical to have a team working as hard as possible at the initial stage of remediation to work out the extent of the breach.  If it is impossible to determine that with certitude by the time notice should be provided then careful wording is required. That is where having a data breach response plan is critical. I suspect Medibank and Optus didn’t have one.  If they did, they should ask for their money back.

So from chronic wheel spinning to mach 3 law reform is quite a change.  The Australian reports in Fast track for data shield that the Government will introduce a Bill to increase penalties.  Hopefully the maxim “Hard  make bad law” doesn’t apply with the proposed amendments to the Privacy Act being expedited through Parliament.

The Australian article provides:

Attorney-General Mark Dreyfus is seeking to legislate significantly increased penalties for “serious or repeated” data breaches and to give the Information Commissioner sweeping powers amid concern that current laws are “hopelessly outdated”.

The Australian understands the government on Tuesday was moving to fast-track its privacy laws into the lower house as early as Wednesday morning in response to Medibank’s “distressing development” that its cyber ­attack affecting consumer data was much wider than originally thought.

A fortnight after a major telecommunications data breach at Optus, the insurance provider was forced to defer its premium increases following the cybercrime event, which included theft of data from its Medibank brand.

Previously, the company believed only data from its sub-brand ahm and insurance for international students had been taken. The deferments could cost the company more than $50m.

Medibank chief executive David Koczkar said the company was operating under the possibility that all four million of its customers – as well as millions of former consumers – could have been affected by the breach.

Medibank does not know how many former customers’ records have been kept but is required by law to retain the health information of adults for at least seven years, and children’s details until they reach the age of 25.

“We are dealing with a very ­serious criminal act and we are now operating with the knowledge that there is data that has been stolen which includes customer data from Medibank,” Mr Koczkar told The Australian.

“To me, there is no doubt this attack has been very deliberate, and done to cause maximum fear and damage to our vulnerable members of our community.

“We must operate with the ­potential that this could impact all of our customers.”

Medibank has been receiving regular briefings from the Australian Federal Police and has launched a detailed review into the incident.

Mr Koczkar pledged to bolster the company’s systems to protect against further cyber attacks.

“We all agree that cyber crime is an ever-present threat and I have committed to sharing the learnings of that review so we can be better armed in the future to protect these types of crimes,” he said.

The government is seeking to pass legislation that would increase the maximum fine for serious breaches from $2.2m to at least $50m.

Under the new laws, companies would also be fined three times the value of “any benefit obtained” through the misuse of information, or 30 per cent of their adjusted turnover over the period the breach was conducted.

Home Affairs Minister Clare O’Neil said the government was extremely concerned about the attack, given the personal nature of the stolen health data, and the damage could be “irreparable”.

Speaking to the House of Representatives, Ms O’Neil said the cyber criminals responsible for the theft were “a dog act, scum of the earth, lowest of the low ­territory”.

The federal government has activated its National Co-ordination Mechanism to streamline its response to the attack, bringing together agencies across federal and state governments to ensure swift support is provided to vulnerable groups.

The crisis body was set up by the former government as a ­response mechanism to deal with the most “difficult and ­complex” aspects of pandemic management.

“Australians who are struggling with mental health conditions, drug and alcohol addiction, with diseases that carry some shame or embarrassment, they are entitled to keep that information private and confidential,” Ms O’Neil said.

“Cyber criminals are the thugs of the 21st century, the bag snatchers and armed robbers.

“We need to do more to step up as a country. This government is doing everything it can to protect Australians against this breach.”

Medibank on Tuesday was forced to roll out a comprehensive customer support package in response to the attack, including 24/7 mental health and wellbeing support, support for vulnerable customers and access to specialist identity protection advice.

The company is in a voluntary trading halt due to end on Wednesday morning.

On Monday, the company revealed the criminal behind the data hack bought login credentials to gain access to the network from an online Russian criminal forum and did extensive reconnaissance before collecting the data, which experts estimate would have lasted months.

A credential broker – which refers to a type of criminal who steals and sells credentials – stole a Medibank login with a high level of access to the health insurer’s network, before advertising the information on a Russian language criminal forum.

A second criminal bought the data, which they used to access Medibank, and began collecting intelligence on the structure and function of the network.

It is not known how long the criminal who bought the Medibank login was on the network, with investigations by the AFP and Australian Signals Directorate still ongoing.

Opposition cyber security spokesman James Paterson called on the government to release a timeline detailing the ­actions it took following the ­initial attack on October 13.