Medibank saga reveals that personal information of those who inquired about but did not obtain private health cover from Medibank was accessed in the data breach. Real questions over data minimisation policies of Medibank
January 24, 2023 |
The lesson from overseas is that the data breach is only the beginning of the problems for the affected organisation. As the organisation and, significantly, the regulator review the carnage the investigation goes well beyond the cause of the breach and what security measures were in place and goes to issues of general data collection and handling. Organisations with poor data security commonly have a poor understanding of data collection. All too often organisations collect too much personal information, information that is not relevant to their operations and keep what they collect for too long, often not culling irrelevant information at all. Investigations then expand and often enough penalties accrue. Sometimes an organisation receives a greater penalty for breaches of the data protection laws not directly related to the data breach itself. These investigations increase the time it takes to put the data breach behind the organisation, increases the cost and further harms an organisation’s reputation. Almost invariably these other deficiencies were easily avoided with proper advice, policies, protocols and training.
The Australian Reports in Data at risk just asking for Medibank quote that Medibank that non customers of Medibank who provided personal information to Medibank in their inquiries about policies had that personal information compromised by the Medibank hack. That information includes, names gender, date of birth, email and phone details. As with many organisations there was a commercial benefit in collecting that information even if the individuals did not purchase a policy. The information can be used for marketing and modelling. That said, that ccollection and retention is in breach of the Privacy Act and contrary to principle of data minimisation.
Maurice Blackburn, Banister Law and Centennial Lawyers have joined together in a representative action involving as many as 9.7 million affected by the Medibank Data Breach.
The Australian article provides:
Australians who inquired but did not purchase corporate private health policies via their employer are the latest victims of the nation’s second largest cyber breach, with their personal details including home addresses, phone numbers and visa subclasses being exposed on the dark web.
Non-customers of Medibank who were drawn to discounted programs advertised by their employer as a workplace benefit are now having to secure their emails, password and other details after they were stolen by a hacker.
Emails seen by The Australian show those who enquired about policies with Medibank have had their first name and surname, gender, date of birth, email, address, phone number and visa subclass, start date and expiry date should they have been an overseas worker, exposed.
“Hi, we’re writing to you as you had previously obtained a quote from Medibank. We’re deeply sorry to inform you that we believe some data you provided for the quote has been stolen and released on the dark web, as a result of the recent cybercrime,” read Medibank’s email to customers.
Of the 9.7m people caught in the Medibank breach, 4 million were active customers at the time of the breach. Others included legacy customers, AHM customers and non-customers who had requested quotes.
“We sincerely apologise to all customers who have been impacted by the cybercrime. We have a Cyber Response Support Package available for all customers, including people who received a quote, which includes mental health, identity protection and financial hardship measures,” a Medibank spokeswoman told The Australian.
The intrusive race for companies to collect as much data as possible is increasingly putting people at risk of cyber breaches, and in many cases is happening beyond their knowledge, said Macquarie University security studies and criminology associate professor Jeffrey Foster.
“When we look across these kinds of data, you can see why companies want this, even if you’re not a customer. They want that personal information and your contact to help them make you a customer later on,” he said.
“It makes it difficult for a company to intentionally remove this data when it adds financial value to them and is not regulated”.
Most people who had inquired about private health insurance with Medibank would have been largely unaware the company had stored their data and that their personal information could have been breached, he said.
“Of course, there will have been a tick box they ticked somewhere that said, ‘I have read and agree to the terms of this agreement’. The biggest lie ever told is that particular line … nobody reads it.”
The news of non-customers being caught up in the Medibank breach should alert the broader public to the dangers of what almost companies are doing with consumer data, Mr Foster said.