Medibank’s woes continue….with a further document dump and formal announcement that the Information Commissioner has opened an investigation into the data breach. A salutory warning to organisations to keep data secure to start with.
December 4, 2022 |
The core advice given by privacy lawyers is that organisations should put the time, effort and coin into having proper software, systems and training to minimise the chance of a data breach rather then spending multiples of that time, effort and money in cleaning up after a data breach. The Medibank data breach highlights the correctness of that approach. Medibank is suffering multiple wounds from the hackers who stole the personal information of millions of its customers. The latest assault is the release of a significant volume of data onto the dark web.
The Medibank press release provides:
We are aware that stolen Medibank customer data has been released on the dark web overnight.
We are in the process of analysing the data, but the data released appears to be the data we believed the criminal stole.
Unfortunately, we expected the criminal to continue to release files on the dark web.
While our investigation continues there are currently no signs that financial or banking data has been taken. And the personal data stolen, in itself, is not sufficient to enable identity and financial fraud. The raw data we have analysed today so far is incomplete and hard to understand.
Medibank CEO David Koczkar said while there are media reports of this being a signal of ‘case closed’, our work is not over.
“We are remaining vigilant and are doing everything we can to ensure our customers are supported. It’s important everyone stays vigilant to any suspicious activity online or over the phone,” he said.
“We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program. This includes mental health and wellbeing support, identity protection and financial hardship measures.
“If customers are concerned, they should reach out for support from our cybercrime hotline, our mental health support line, Beyond Blue, Lifeline or their GP.
“Anyone who downloads this data from the dark web, which is more complicated than searching for information in a public internet forum and attempts to profit from it is committing a crime.
“The Australian Federal Police have said law enforcement will take swift action against anyone attempting to benefit, exploit or commit criminal offenses using stolen Medibank customer data. We continue to work closely with the Australian Federal Police who are focused, as part of Operation Guardian, on preventing the criminal misuse of this data.
“Again, I unreservedly apologise to our customers.
“We remain committed to fully and transparently communicating with customers and we will continue to contact customers whose data has been released on the dark web,” Mr Koczkar said.
Our customers can also contact us to understand what data has been accessed – we’ve extended call centre hours and we’ve increased our customer support team by more than 300 people. In addition, from this week, we’re taking extra security steps to further protect our customers – with two-factor authentication in our contact centres. So, when a customer calls for support, we can verify their identify and be sure we’re speaking with them and not someone else.
Data released on the dark web today
We are conducting further analysis on the files today and at this stage believe:
-
- There are 6 zipped files in a folder called ‘full’ containing the raw data that we believed the criminal stole
- Much of the data is incomplete and hard to understand
- For example, health claims data released today has not been joined with customer name and contact details
Given the sensitive nature of the stolen customer data that is being released on the dark web we continue to ask the media and others to support our ongoing efforts to minimise harm to customers, and not to unnecessarily download sensitive personal data from the dark web and to refrain from contacting customers directly.
Supporting our customers
Our dedicated Cyber Response Support Program for our customers includes:
• A cybercrime health & wellbeing line (1800 644 325) – counsellors that have experience supporting vulnerable people (such as those at risk of domestic violence) and have been trained t
o support victims of crime and issues related to sensitive health information • Mental health outreach service – proactive support service for customers identified as being vulnerable, or through referral from our contact centre team
• Better Minds App – new tailored preventative health advice and resources specific to cybercrime and its impact on mental health and wellbeing, including tools for managing anxiety and fear, with additional phone based psychological support available
• Personal duress alarms – for customers particularly vulnerable and/or with safety risks
• Hardship support for customers who are in a uniquely vulnerable position as a result of this crime which can be accessed via our contact centre team (13 23 31 for Medibank and international customers, 13 42 46 for ahm customers and 1800 081 245 for My Home Hospital patients)
• Specialist identity protection advice and resources through IDCARE’s purpose-built Medibank page
• Free identity monitoring services for customers whose identity has been compromised as a result of this crime
• Reimbursement of ID replacement fees for customers who need to replace any identity documents that have been compromised as a result of this crime
• Specialised teams to help our customers who receive scam communications or threats
Reach out for support
We understand this crime will be distressing for many of our customers.
Customers should reach out for support if they need it from:
• Medibank’s Mental Health Support line on 1800 644 325 (Medibank international students call 1800 887 283 and ahm international students call 1800 006 745)
• Beyond Blue (1300 224 636 / beyondblue.org.au)
• Lifeline (13 11 14 / lifeline.org.au)
• Their GP or other relevant health professional
Remaining vigilant
Medibank recommends being vigilant with all online communications and transactions including:
• Being alert for any phishing scams via phone, post or email
• Verifying any communications received to ensure they are legitimate
• Not opening texts from unknown or suspicious numbers
• Changing passwords regularly with ‘strong’ passwords, not re-using passwords and activating multi-factor authentications on any online accounts where available
• Medibank will never contact customers asking for password or sensitive information
If you are contacted by someone who claims to have your data, or you are a victim of cybercrime, you can report it at ReportCyber on the Australian Cyber Security Centre website. To report a scam, go to ScamWatch. If you believe you are at physical risk, please call emergency services (000) immediately.
Customer data we currently believe the criminal has stolen
• The name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives. This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers • Medicare numbers (but not expiry dates) for ahm customers
• Passport numbers (but not expiry dates) and visa details for international student customers
• Health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers. This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered. Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed and around 2,900 next of kin of these patients have had some contact details accessed
• Health provider details, including names, provider numbers and addresses
Based on our investigations to date, we currently believe the criminal:
• Did not access primary identity documents, such as drivers’ licences, for Medibank and ahm resident customers. Medibank does not collect primary identity documents for resident customers except in exceptional circumstances
• Did not access health claims data for extras services (such as dental, physio, optical and psychology)
• Did not access credit card and banking details
Given the prior involvement of Government in this now saga it is hardly surprising that the relevant Minisers, Dreyfus and O’Neil, put out a statement generally reinforcing what Medibank said and shaking a finger at the hackers. It states:
This morning the Australian Government was advised that the cyber criminals who stole from Medibank and AHM customers have released potentially all stolen data onto the dark web.
The Australian Signals Directorate first engaged Medibank on 12 October, and the Australian Government stands with the victims of this cyber incident.
The release of such sensitive and personal data is morally reprehensible.
We anticipated the release of this data, which is why we activated the National Coordination Mechanism to ensure that all possible support is being provided to Medibank and those affected by this incident. The NCM has met today to respond to this latest development.
As previously stated, we have asked Medibank to develop a one-stop shop to support affected customers.
If you are a Medibank Private customer and are concerned about the data released today, please call 13 23 31.
If you are an AHM customer, please call 13 42 46.
Practical advice to help individuals and businesses boost their cyber security is available on the Australian Cyber Security Centre’s website at cyber.gov.au
-
- Monitor all your devices and accounts for unusual activity. Report unusual activity to cyber.gov.au, IDCARE (1800 595 160), and your bank.
- Be alert for scams that make reference to Medibank Private. Do not click on links in suspicious emails or messages that reference Medibank Private. Visit scamwatch.gov.au for help.
- Ensure your devices and accounts have the latest security updates. This includes ensuring your devices and accounts have multi-factor authentication enabled.
- Replace your Medicare card if you believe it has been stolen. This can be done at no cost through MyGov.
The Australian Federal Police is conducting two operations in response to the Optus and Medibank data breaches.
Operation Guardian is a joint initiative with state and territory police set up in September to protect customers whose personal information has been released.
Operation Pallidus was launched to investigate the criminal data breach against Medibank Private.
This week the Australian Parliament passed tough new laws to increase the maximum penalties for serious or repeated privacy breaches from the current $2.22 million penalty to whichever is the greater of $50 million; three times the value of any benefit obtained through the misuse of information; or 30 per cent of a company’s adjusted turnover in the relevant period.
After a wasted decade for digital reform, the Australian Government is stepping up on cyber security and ransomware.
The Government has begun work on a new cyber strategy for the nation. This will drive a whole-of-nation effort to counter cyber threats.
The Medibank and Optus data breaches were significant in size and impact. They affected millions of people. But they are hardly extraordinary compared to significant breaches overseas or the number of breaches in Australia. The sooner political commentary and involvement takes a back seat and the regulator steps in the better. Some breaches will always attract political attention but the fewer the better.
To cap off a bad week for Medibank the Information Commissioner has formally commenced an investigation into Medibank’s data handling. The overseas experience is that a regulator that undertakes an investigation in relation to an organisation’s breach often ends up looking at problematical practices which can sometimes result in even greater penalty than that associated with the data breach. It is not surprising that organisations that suffer a data breach have poor data handling practices throughout the organisation.
The Information Commissioner’s announcement provides:
The Office of the Australian Information Commissioner (OAIC) today commenced an investigation into the personal information handling practices of Medibank in relation to its notifiable data breach.
This decision follows the OAIC’s preliminary inquiries commenced into the matter in October.
The OAIC’s investigation will focus on whether Medibank took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure.
The investigation will also consider whether Medibank took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs).
If the OAIC’s investigation satisfies the Commissioner that an interference with the privacy of individuals has occurred, the Commissioner may make a determination that can include requiring Medibank to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage. If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.
Given that the breach involves sensitive information, we remind any Medibank customers affected that they may seek assistance through Medibank’s helpline.
Australian Information Commissioner and Privacy Commissioner Angelene Falk also reminded organisations covered by the Privacy Act 1988 to ensure they take reasonable steps to protect the personal information they hold.
“All organisations should review their personal information handling practices to ensure reasonable security safeguards are in place,” she said.
In line with the OAIC’s Privacy regulatory action policy, the OAIC will await the conclusion of the investigation before commenting further.
About Commissioner-initiated investigations
The Commissioner is authorised to investigate an act or practice that may be an interference with the privacy of an individual or a breach of APP 1 under section 40(2) of the Privacy Act.
Preliminary inquiries will continue with Medibank regarding compliance with the Notifiable Data Breaches scheme.
Under the Notifiable Data Breaches scheme, organisations covered by the Privacy Act must notify affected individuals and the OAIC as quickly as possible if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved.
Medibank has learned from very hard experience that candour and transparency, or at least the appearance of both, is important. As is keeping ahead of the story rather than playing catch up. Its notice on 1 December was more in line with good practice. The story was quickly picked up and developed by zdnet’s Medibank hackers reportedly release all data on dark web, Guardian’s Medibank hackers announce ‘case closed’ and dump huge data file on dark web, ABC’s More Medibank customer data released onto dark web. Has everything now been released? and, among other pieces, Medibank prognosis gets worse after more stolen data leaked.