Peter A Clarke

A data breach is just the start of an organisation’s problem. Regulators become involved, there is a need for a major organisational review, new hires of experts and a few fires of those who did not do their job properly. And then there is the litigation., In 2022 IBM released a very influential report titled Cost of a data breach 2022.

Some of the findings were:

• 83% of organizations studied have had more than one data breach
• 60% of organizations’ breaches led to increases in prices passed on to customers
• 79% of critical infrastructure organizations didn’t deploy a zero trust architecture.
• 19% of breaches occurred because of a compromise at a business partner
• the average total cost of a data breach was USD 4.35 million
• Average cost of a ransomware attack, not including the cost of the ransom itself is USD 4.54 million
• Average difference in cost where remote work was a factor in causing the breach versus when it wasn’t a factor is $1 million
• healthcare cost industry for data breaches. This was followed by the financial , pharmaceutical, technology and energy industries. The average cost was to USD 10.10 million
• the average time to identify and contain a data breach was 277 days.
• Average cost of a breach for organizations with high levels of compliance failures was USD 5.57 million
• Average total cost for breaches of 50 million to 60 million records was USD 387 million
• with data breaches involving  20 million to 30 million records was USD 241 million.

Today Medibank advised via a media release titled Cybercrime update – Deloitte incident review

The release provides:

On 23 February 2023, as part of its HY23 financial results presentation, Medibank outlined the circumstances surrounding how the criminal accessed its systems, what it had done in response and its key focus areas going forward, including shutting down the attack path and strengthening its security environment.

Deloitte has been conducting an external incident review into the circumstances surrounding the cybercrime event. Medibank confirms that it has now been provided with Deloitte’s findings from that review.

Deloitte has made recommendations to enhance Medibank’s IT processes and systems. A number of recommendations have already been implemented, and Medibank intends to implement all recommendations not already undertaken, along with other enhancements previously planned by Medibank.

Medibank will also continue to review its cyber security governance arrangements, recognising the increasing prevalence of cybercrime and the need to meet the ongoing expectations of our customers.

This cybercrime remains the subject of a criminal investigation. Medibank continues to work with the Australian Federal Police, the Australian Government and regulators. As previously committed, Medibank will continue to share lessons from the cybercrime with other Australian businesses, where it can.

Medibank Chair Mike Wilkins said:
“This cybercrime was a deliberate and malicious attack. Our focus has been to ensure that we closed down the attack path and enhance our systems and processes to provide our customers with the security they expect and deserve.

“Medibank has completed a range of enhancements to meet this expectation and the Board will continue to oversee the completion of steps to implement the recommendations to enhance systems and processes even further.

“From the beginning of this cybercrime, Medibank has continued to prioritise and support the needs and health of our customers and to ensure the earliest possible resumption of normal business operations.”

It is a model of using a lot of words to say not much.  It acknowledges receipt of a report, which was part of response announced.  It says that Deloitte “made recommendations to enhance Medibank’s IT processes and systems.” Whatever that means.  It is so vague as to cover just about anything in IT.  Medibank is then somewhat self serving in says tit has hat some of those things, again not even described in the general.  This Report will almost certainly be discoverable in the class action against Medibank. 

This is prompted a report from the Australian with Medibank won’t release report into cyber attack .In this story the representatives of Medibank talk about the sensitivity and confidentiality of what is in the report. A familiar response which is usually overstating what is covered in a report.

The article provides:

Russian hackers accessed the health records and other personal information from almost 10 million current and former Medibank customers. After the company refused to pay a $15m ransom, it published customer claim data for sensitive conditions – including abortions, drug and alcohol abuse and mental health disorders – on the dark web.

The company told investors on Friday that it had been provided with Deloitte’s findings from a review into the cybercrime incident.

“A number of recommendations have already been implemented, and Medibank intends to implement all recommendations not already undertaken, along with other enhancements previously planned by Medibank.”

A spokeswoman told The Australian wouldn’t be detailing the findings or releasing the report. She said the review includes confidential and sensitive information about the cyber security measures that Medibank has in place to protect customers and other data from malicious cyber-attacks.

“We don’t think it is in the interests of our customers or the broader Australian community to publicly release their findings given the security risks this would pose, not only to Medibank but other Australian businesses,” the spokeswoman said.

Medibank chair Mike Wilkins said the incident was a ‘deliberate and malicious attack’ that remains the subject of a criminal investigation.

“Medibank has completed a range of enhancements to meet this expectation and the board will continue to oversee the completion of steps to implement the recommendations to enhance systems and processes even further,” he said.

“From the beginning of this cybercrime, Medibank has continued to prioritise and support the needs and health of our customers and to ensure the earliest possible resumption of normal business operations.”

Analysts have estimated the clean-up bill – which includes customer lawsuits – could cost Medibank as much as $150m.

The company is facing a class-action lawsuit from customers, who filed in the Federal Court of Australia in February.

Medibank has said it will defend the proceedings.

Optus is also waiting on an external Deloitte report into its hack, also late last year, that affected some 10 million Optus customers. Optus has not said whether the report, which is due in late May, would be made public.

It comes amid ongoing work on the federal government’s upcoming new cyber security strategy, which has a stated goal of making Australia the most cyber secure nation by 2030.

Work on the new strategy, which is set to be released by the end of the year, is being led by former Telstra chief executive Andy Penn, with support from RAAF Air Marshal Mel Hupfeld and Rachel Falk of the Cyber Security Co-operative Research Centre.

Medibank refused to pay the hacker’s cyber ransom and a key consideration of the upcoming strategy will be whether to ban the payment of cyber ransoms. Finance provider Latitude this month also rejected a ransom demand from criminals behind what has now become the nation’s biggest cyber attack.

As The Australian reported earlier this week power giant AGL Energy has warned against such a ban, declaring that such a move may result in potential loss of life and “catastrophic damage”.

In its submission to the government’s 2030 cyber strategy, AGL said banning paying ransoms “may result in potentially avoidable catastrophic damage, harm to community, loss of life, disruption of essential services or disclosure of sensitive information”.

Shares in Medibank last traded at $3.55.