Peter A Clarke

The Guardian has undertaken an investigation of police misusing databases in with Revealed: Australian police accused of improperly accessing force databases more than 2,000 times.  

The story makes for depressing reading but is nothing that I have not written about for years.  The controls remain ineffective and the consequences for misusing this data are inadequate.

The article provides:

Read the rest of this entry »

Yesterday the Australian Information Commissioner published its Concise statement in its civil penalty proceeding against Medibank Private. It has been reported in the ABC under the heading “The absence of multi-factor authentication led to the Medibank hack, regulator alleges.” The story has also been covered by the Guardian with Medibank’s lack of multi-factor authentication allowed hackers to infiltrate systems, regulator alleges.

The Commissioner has listed Important Facts as being:

• For the financial years ending 30 June 2021, 2022, and 2023, Medibank generated revenue of approximately $6.9 billion, $7.1 billion, and $7.1 billion and annual profit before tax of $632.3 million, $560 million, and $727.1 million,respectively.
• As at 30 June 2022, Medibank employed approximately 3,291 full time employees
• the personal information collected and held by Medibank included:
  • names,
  • dates of birth,
  • home addresses,
  • phone numbers,
  • email addresses,
  • employment details,
    passport numbers,
  • Medicare numbers,
  • financial information
  • sensitive information such as:
  • sensitive information about customers’
    • race and ethnicity
    • illnesses,
    • disabilities or injuries,
    • health services
• Prior to 7 August 2022 an IT Service Desk Operator who was an employee of a Medibank contractor had access to Medibank Admin Account using his Medibank Credentials.
• the contractor saved his Medibank username and password (Medibank Credentials) to his personal internet browser profile on his work computer. When he subsequently signed into his internet browser profile on his personal computer, the Medibank Credentials were synced across to his personal computer
• the the Admin Account had access to most (if not all) of Medibank’s systems, including:
  • network drives,
  • management consoles, and
  • remote desktop access to jump box servers (used to access certain Medibank directories and databases)
• on or about 7 August 2022 the Medibank Credentials were stolen from the IT Service Desk Operator’s personal computer by a threat actor, commonly and better known as a hacker  using a variant of malware which is known to the parties but not publicly disclosed
• on 12 August 2022, log onto Medibank’s Microsoft Exchange server and test the Medibank Credentials for the Admin Account
• on or around 23 August 2022 the hacker authenticated and log onto Medibank’s “Global Protect”
  Virtual Private Network (VPN) solution (which controlled remote access to the Medibank corporate network) & began typing malicious script
• the hacker actor was able to authenticate and log onto Medibank’s Global Protect VPN using only the Medibank Credentials because, during the Relevant Period, access to Medibank’s Global Protect VPN did not require two or more proofs of identity or multi-factor authentication (MFA). Medibank’s Global Protect VPN was configured so that only a device certificate, or a username and password (such as the Medibank Credentials), was required
• on 25 and 25 August 2022 Medibank’s Endpoint Detection and Response (EDR) Security Software sent alerts the hacker’s activities  to a Medibank IT Security Operations email address. These alerts were not appropriately triaged or escalated by either Medibank or its service provider, Orro, at that time.
• from 25 August 2022 until around 13 October 2022 the hacker used Medibank Credentials to access numerous Medibank IT systems and exfiltrated 520 gigabytes of data including names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers, health related information and claims data (such as patient names, provider names, primary/secondary diagnosis and procedure codes, treatment dates).
• On 11 October 2022, Medibank:
  • triaged a high severity incident for a alert that identified modification of files needed to exploit the “ProxyNotShell” vulnerability.
  •  engaged Threat Intelligence, its existing digital forensics and incident response partner, to perform an incident response investigation.
• Until at least 16 October 2022, when a Threat Intelligence analyst noted that there had been a series of suspicious volumes of data exfiltrated out of Medibank’s network, Medibank was not aware that customer data had been accessed
• on 19 and 22 October 2022 respectively, Medibank was contacted by the hacker and provided with files containing sample data that had been exfiltrated from Medibank’s systems
• Between 9 November 2022 and 1 December 2022, the hacker published data exfiltrated during the data breach on the dark web.

Read the rest of this entry »

The health industry is a prime and consistent target for cyber attacks as well as more analog data breaches, as I have posted many times in the past. A recent attack by Russian crime groups on London hospitals, in particular King’s College hospital, Guy’s and St Thomas’ and Synnovis, a pathology services firm, has had a catastrophic impact on their operations. The damage has been so severe that the NHS has called for O – type blood donations because the cyber attack has meant that the hospitals cannot match patient’s blood. This is against a backdrop where the Norfolk and Norwich University Hospitals NHS Foundation Trust paid out 47,000 pounds in compensation for data breaches between 2020 and 2023. Last year NHS trusts were discovered sharing patient data with Facebook without consent.

The problem has become so endemic in the UKI that the Information Commissioner issued a press release on 10 May 2024 titled Organisations must do more to combat the growing threat of cyber attacks.

There is no reason to believe the situation is any better in Australia as recent massive data breaches at Optus and Medibank Private highlight that inadequate data security and the pervasiveness of cyber attacks is an international problem. 

The Commissioner’s press release Read the rest of this entry »

The cost of remedial work after a data breach has always been significant and sometimes extreme. Those costs typically start with bringing in cyber security experts and other IT people to locate the malware and find the point of ingress. Then there is repair work to be done. There may be significant damage to systems. Then there is the cost of assessing the damage, determining what has been stolen. Reconstructing files. There is the notification obligations and the prudent steps to advise clients of what has happened. That involves PR/human resources staff. Then there are the potential legal issues, sometimes involving the regulator, sometimes a class action. Sometimes getting advice. And the costs continue. In the United States in 2023 the average cost of a data breach was $4.45million according to Ponemon. The average costs of a data breach in the Middle East was $8.07 million, in Canada it was $5.13 million, in Germany the sum of $4.67 million, and in Japan at $4.52 million. These figures are almost certainly understatements. There is significant under reporting and not all expenses are included in the calculations.  CEOs and CFOs are invariably shocked by the initial cost and the ongoing costs of dealing with a data breach.  The phrase a “spoonful of prevention is worth a pound of cure” is apt.  In my experience that rarely happens.  Organisations often have the C suite as far away from the IT and cyber security operations.  Even CIO’s focus on data collection and impressive homepages.  Having a comprehensive data security system is a secondary concern.  And often times there is no data breach response plan.

A cost often not properly considered is the reputational damage to an organisation and the consequential loss of market. To highlight that MediSecure suffered a data breach a few weeks ago. It has now appointed an administrator after its attempts to have the Federal Government bail it out failed. The ABC has covered the story stating:

The health company at the centre of a recent cyber attack has gone into administration, just weeks after it asked the federal government for a bailout.

Script provider MediSecure at centre of ‘large-scale ransomware’ data breach

National cyber security coordinator Michelle McGuinness says the Australian Federal Police is also looking into the breach.

Some of the information stolen, including patient data relating to scripts and the personal information of healthcare providers, is now on the dark web for sale. The dark web is only accessible via specialised web browsers and is often used to sell illegal items, including stolen data. Read the rest of this entry »

These days hackers are quite sophisticated in announcing successful attacks. Often that is done via forums in the dark web. And so GhostR, a financially motivated hacker group, claims to have stolen have stolen data from Australian logistics company Victorian Freight Specialists. There has been nary a word from Victorian Freight Specialists.That does not mean Victorian Freight are being especially clever or this is part of its strategy.  More often than not companies have no data breach response plan. GIven GhostR claims to have breached the company on 26 May and taken  846 gigabytes of company data taken on May 26. Sample data appears to include internal data taken from an SQL database and screenshots of logon screens. Information Security Media Group could not immediately verify the legitimacy of the data. The company website appeared to briefly go dark, although it is currently working. Victorian Freight Specialists did not immediately respond to a request for comment.

GhostR only recently threatened to Read the rest of this entry »

As if any more proof were required that privacy and data security is not an ideological issue the Attorney General of Texas has announced an initiative to protect “Tex­ans’ Sen­si­tive Data from Ille­gal Exploita­tion by Tech, AI, and Oth­er Companies.”

The press release Read the rest of this entry »

The Australian Information Commissioner has issued civil penalty proceedings against Medibank Private Limited arising from the massive October 2022 data breach. That is 20 months after the breach. This adds to Medibank’s litigation arising from that data breach. There is also a class action in the Federal Court against Medibank, Zoe Lee McClure v Medibank Private Limited (ACN 080 890 259).   It is also subject to a representative complaint.

Medibank did not issue a press release but it did released a notice to the Australian Stock Exchange stating:

The Commissioner’s press release provides:

The Australian Information Commissioner has filed civil penalty proceedings in the Federal Court against Medibank Private Limited in relation to its October 2022 data breach.

The Commissioner alleges that from March 2021 to October 2022, Medibank seriously interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988.

The proceedings follow an investigation initiated by Australian Information Commissioner Angelene Falk after Medibank was the subject of a cyber attack in which one or more threat actors accessed the personal information of millions of current and former customers, which was subsequently released on the dark web. Read the rest of this entry »