Medibank’s woes continue….with a further document dump and formal announcement that the Information Commissioner has opened an investigation into the data breach. A salutory warning to organisations to keep data secure to start with.

December 4, 2022

The core advice given by privacy lawyers is that organisations should put the time, effort and coin into having proper software, systems and training to minimise the chance of a data breach rather then spending multiples of that time, effort and money in cleaning up after a data breach.  The Medibank data breach highlights the correctness of that approach.  Medibank is suffering multiple wounds from the hackers who stole the personal information of millions of its customers. The latest assault is the release of a significant volume of data onto the dark web. 

The Medibank press release provides:

We are aware that stolen Medibank customer data has been released on the dark web overnight.

We are in the process of analysing the data, but the data released appears to be the data we believed the criminal stole.

Unfortunately, we expected the criminal to continue to release files on the dark web.

While our investigation continues there are currently no signs that financial or banking data has been taken. And the personal data stolen, in itself, is not sufficient to enable identity and financial fraud. The raw data we have analysed today so far is incomplete and hard to understand.

Medibank CEO David Koczkar said while there are media reports of this being a signal of ‘case closed’, our work is not over.

“We are remaining vigilant and are doing everything we can to ensure our customers are supported. It’s important everyone stays vigilant to any suspicious activity online or over the phone,” he said.

“We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program. This includes mental health and wellbeing support, identity protection and financial hardship measures.

“If customers are concerned, they should reach out for support from our cybercrime hotline, our mental health support line, Beyond Blue, Lifeline or their GP.

“Anyone who downloads this data from the dark web, which is more complicated than searching for information in a public internet forum and attempts to profit from it is committing a crime.

“The Australian Federal Police have said law enforcement will take swift action against anyone attempting to benefit, exploit or commit criminal offenses using stolen Medibank customer data. We continue to work closely with the Australian Federal Police who are focused, as part of Operation Guardian, on preventing the criminal misuse of this data.

“Again, I unreservedly apologise to our customers.

“We remain committed to fully and transparently communicating with customers and we will continue to contact customers whose data has been released on the dark web,” Mr Koczkar said.

Our customers can also contact us to understand what data has been accessed – we’ve extended call centre hours and we’ve increased our customer support team by more than 300 people. In addition, from this week, we’re taking extra security steps to further protect our customers – with two-factor authentication in our contact centres. So, when a customer calls for support, we can verify their identify and be sure we’re speaking with them and not someone else.

Data released on the dark web today

We are conducting further analysis on the files today and at this stage believe:

    • There are 6 zipped files in a folder called ‘full’ containing the raw data that we believed the criminal stole
    • Much of the data is incomplete and hard to understand
    • For example, health claims data released today has not been joined with customer name and contact details

Given the sensitive nature of the stolen customer data that is being released on the dark web we continue to ask the media and others to support our ongoing efforts to minimise harm to customers, and not to unnecessarily download sensitive personal data from the dark web and to refrain from contacting customers directly.

Supporting our customers

Our dedicated Cyber Response Support Program for our customers includes:
A cybercrime health & wellbeing line (1800 644 325) – counsellors that have experience supporting vulnerable people (such as those at risk of domestic violence) and have been trained t
o support victims of crime and issues related to sensitive health information • Mental health outreach service – proactive support service for customers identified as being vulnerable, or through referral from our contact centre team
Better Minds App – new tailored preventative health advice and resources specific to cybercrime and its impact on mental health and wellbeing, including tools for managing anxiety and fear, with additional phone based psychological support available
Personal duress alarms – for customers particularly vulnerable and/or with safety risks
Hardship support for customers who are in a uniquely vulnerable position as a result of this crime which can be accessed via our contact centre team (13 23 31 for Medibank and international customers, 13 42 46 for ahm customers and 1800 081 245 for My Home Hospital patients)
Specialist identity protection advice and resources through IDCARE’s purpose-built Medibank page
Free identity monitoring services for customers whose identity has been compromised as a result of this crime
Reimbursement of ID replacement fees for customers who need to replace any identity documents that have been compromised as a result of this crime
• Specialised teams to help our customers who receive scam communications or threats

Reach out for support

We understand this crime will be distressing for many of our customers.

Customers should reach out for support if they need it from:
• Medibank’s Mental Health Support line on 1800 644 325 (Medibank international students call 1800 887 283 and ahm international students call 1800 006 745)
• Beyond Blue (1300 224 636 / beyondblue.org.au)
• Lifeline (13 11 14 / lifeline.org.au)
• Their GP or other relevant health professional

Remaining vigilant

Medibank recommends being vigilant with all online communications and transactions including:
• Being alert for any phishing scams via phone, post or email
• Verifying any communications received to ensure they are legitimate
• Not opening texts from unknown or suspicious numbers
• Changing passwords regularly with ‘strong’ passwords, not re-using passwords and activating multi-factor authentications on any online accounts where available
• Medibank will never contact customers asking for password or sensitive information

If you are contacted by someone who claims to have your data, or you are a victim of cybercrime, you can report it at ReportCyber on the Australian Cyber Security Centre website. To report a scam, go to ScamWatch. If you believe you are at physical risk, please call emergency services (000) immediately.

Customer data we currently believe the criminal has stolen

• The name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives. This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers • Medicare numbers (but not expiry dates) for ahm customers
• Passport numbers (but not expiry dates) and visa details for international student customers
• Health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers. This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered. Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed and around 2,900 next of kin of these patients have had some contact details accessed
• Health provider details, including names, provider numbers and addresses

Based on our investigations to date, we currently believe the criminal:
• Did not access primary identity documents, such as drivers’ licences, for Medibank and ahm resident customers. Medibank does not collect primary identity documents for resident customers except in exceptional circumstances
• Did not access health claims data for extras services (such as dental, physio, optical and psychology)
• Did not access credit card and banking details

Read the rest of this entry »

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 passes the Senate. An improvement but more legislative work is required.

November 29, 2022

Yesterday the Australian Senate passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.  The Bill was introduced and read for the first time on 26 October 2022. The second reading debate occured on 8 November 2022 and passed the House of Representatives on 9 November 2022. 

This Act has always been described as an interim measure.  An immediate response to the Optus and Medibank data breaches which highlighted the inadequacy of the data breach notification regime.  More significant reforms are promised for next year.  It does not address the flaws in the Privacy Act. 

Key aspects of the Act are:

  • an increase of  the maximum penalty for serious or repeated interferences with privacy for body corporates from $2.2 million to the greater of:
    • $50 million,
    • three times the value of the benefit obtained attributable to the breach or,
    • if the court cannot determine the value of the benefit, 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

These penalties mirror the recent increased penalties introduced for breaches of Australian Consumer Law (“ACL”). The definition of ‘adjusted turnover’is similar to that introduced into the ACL and takes into account the sum of the values of all the supplies that the body corporate and any related body corporate have made or are likely to make during the period. How long the ‘breach turnover period’ might be could be a very significant issue.  It could be some time where an issue is unknown and there is late detection.

  • greater information gathering powers by the Information Commissioner regarding data breaches including:
    • a power to share information publicly if it is in the public interest to do so  with a broader range of entities.  Those bodies include enforcement bodies (both in Australia and overseas), alternative complaint bodies and state and territory authorities.
    • a broader power to make declarations following the conclusion of an investigation including  requiring the organisation to:
      • prepare and publish or otherwise communicate a statement about the conduct; and
      • engage with a suitably qualified independent advisor to review practices, steps taken to remediate the breach and any other matter relevant to the investigation. 

This is a step towards the process the Federal Trade Commission has put in place for many years..

    • conducting an assessment of an organisation’s  compliance with the NDB Scheme, including the extent to which it has processes and procedures in place to assess suspected eligible data breaches and provide notice of eligible data breaches.  This is a worthwhile amendment.
    • issuing an infringement notice for failures to provide information as required by the Act.
  • organisations that carry on business in Australia are now regulated under the Privacy Act, even if they do not collect or hold information in Australia. The aim is to regulate organisations which carry on business in Australia, but do not themselves collect or hold personal information in Australia. The Act will now apply to all acts done or practices engaged in by overseas entities which carry on business in Australia, irrespective of whether the acts or practices relate to individuals located in Australia. For organisations with a globarl operation compliance will apply to the entire global operation . 
 

What constitutes either a ‘serious’ or ‘repeated’ interference still remains vague and unsatisfactory.

The Greens successfully proposed an amendment which will now become section 13GA which provides:

An entity contravenes this subsection if the entity does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.

Civil penalty:          2,000 penalty units

This provision makes it easier to take action than under section 13G which refers to either a serious inteference with privacy, whatever that means, or repeated interferences with privacy.  Hopefully these provisions will be consolidated in the broader revision of the Act. 

The amendments do not affect the opeation of hte Data Breach Notification Regime.  Not all  data breaches are covered. It remains the case that if an organisation suffers a data breach it may not need to provide notification of that data breach.  The issue remains whether it has or has not taken reasonable steps in the circumstances to secure personal information.  To that extent the amendments may not change much. 

All of these amendments mean nothing if the Information Commissioner does nohting with them. The Commissioner has been a timid regulator.  Whether that continues in light of the focus on privacy is the question.

The Bill Read the rest of this entry »

Federal Trade Commission takes action against Chegg, an Ed Tech provider, for exposing personal data of millions of customers due to careless security

November 22, 2022

The Federal Trade Commission (the “FTC”) has been quite an assertive regulator on privacy issues in the United States.  It has its fair share of detractors however it has been successful in developing a body of law relating to businesses not complying with their representations as to privacy and data security.  It has been so successful in that respect that Daniel Solove, a prominent privacy academic in the United States has suggest that the FTC has developed the common law of privacy.  The FTC has developed very effective consent agreements, enforceable undertakings in Australian parlance, should provide a very useful template when drafting obligations on entities in Australia which interfere with Australian’s privacy.  The enforceable undertakings imposed by the Australian Information Commissioner to date are anemic by comparison.  They may also be useful inspiration when, hopefully and eventually, individuals have a right to bring action against companies and government agencies and terms of settlement are required.

The FTC has brought an action against Chegg for careless security which led to four separate data breaches in the space of 3 years being:

  • in September 2017, Chegg employees fell for a phishing attack, giving the threat actors access to employees’ direct deposit information
  • in April 2018, a former contractor accessed one of Chegg’s S3 databases using an AWS Root Credential  to exfiltrated a database containing personal information of approximately 40 million users of the Chegg platform.  Chegg only discovered this data breach when informed by a threat intelligence vendor
  • in April 2019, a senior Chegg executive fell victim to a phishing attack, giving the threat actor access to the executive’s credentials to Chegg’s email platform and exposing personal information about consumers and employees of Chegg.  The email system was in a default configuration state that allowed a bypass of Chegg’s multifactor authentication requirement.
  • in April 2020, Chegg’s senior employee responsible for payroll fell victim to a phishing attack, giving the threat actor access to the employee’s credentials to Chegg’s payroll system . W-2 information, including the birthdates and Social Security numbers, of approximately 700 current and former employees, was exfiltrated.

Needless to say the failure of Chegg to improve data security after the first and second data breaches is a focus of the FTC complaint.

The above data breaches are regular enough occurrences in Australia.  The failure to properly remediate and improve data security after a data breach is also all too common with Australian organisations.

The FTC statement Read the rest of this entry »

National Institute of Standards and Technology release draft guide on De identifying Government data sets. A very useful guide for all those who practice privacy and cyber security.

November 18, 2022

De identifying data is a critical part of managing data, avoiding reputational damage if there is a data breach and complying with privacy legislation.  It is fundamental yet poorly understood, let alone implemented.  The National Institute of Standards and Technology has released the third draft of its De-Identifying Government Data Sets .   As with many NIST reports it is lengthy not to mention highly technical.  But it is worth reading.  The NIST provides the best technical guides in the privacy and cyber security sphere.

This is an excellent guide because it sets out clearly what deidentificatio involves, why it is important, what the risks are and how organisations and agencies should approach de identification. The United Kingdom’s Information Commissioner has prepared excellence guidance on Anonymisation, pseudonymisation and privacy enhancing technologies.  Given the nature of recent data breaches in Australia de identifying older records is important.  The guidance in Australia is inadequate. 

The abstract provides:

De-identification is a process that is applied to a dataset with the goal of preventing or limiting informational risks to individuals, protected groups, and establishments while still allowing for meaningful statistical analysis. Government agencies can use de-identification to reduce the privacy risk associated with collecting, processing, archiving, distributing, or publishing government data. Previously, NISTIR 8053, De-Identification of Personal Information, provided a survey of de-identification and re-identification techniques. This document provides specific guidance to government agencies that wish to use de-identification. Before using de-identification, agencies should evaluate their goals for using de-identification and the potential risks that de-identification might create. Agencies should decide upon a de-identification release model, such as publishing de-identified data, publishing synthetic data based on identified data, or providing a query interface that incorporates de-identification. Agencies can create a Disclosure Review Board to oversee the process of de-identification. They can also adopt a de-identification standard with measurable performance levels and perform re-identification studies to gauge the risk associated with de-identification. Several specific techniques for de-identification are available, including de-identification by removing identifiers and transforming quasi-identifiers and the use of formal privacy models. People performing de-identification generally use special-purpose software tools to perform the data manipulation and calculate the likely risk of re-identification. However, not all tools that merely mask personal information provide sufficient functionality for performing de-identification. This document also includes an extensive list of references, a glossary, and a list of specific de-identification tools, which is only included to convey the range of tools currently available and is not intended to imply a recommendation or endorsement by NIST. Read the rest of this entry »

The Australian Information Commissioner releases its data breaches report for January to June 2022.

November 13, 2022

On 10 November the Australian Information Commissioner released the six monthly Notifiable Data Breaches Report for the period January to June 2022.  The Report covers a period before the Optus and Medibank Data breaches which will make the next six monthly report quite dramatic with the personal records of at least 15 million Australian’s affected.  In a country of 26,217,341 that is extraordinary.

The Report is far more expansive and detailed than the usual reports.  It also seeks to instruct as to what is expected and why.  No doubt the increased topicality of privacy and the impact of the Optus and Medibank data breaches have influenced the Commissioner and made it prudent to be more expansive than was previously the case.

The highlights of the Report are:

  • there were 396 notifications, a reduction of 14% over the previous 6 months;
  • health had the most notifications.  No surprises there.
  • 63% of data breaches was caused by malicious or criminal attacks.
  • ransomware was the most common form of cyber attack, at 31% of the total.
  • 71% of entities notified the Commissioner within 30 days of becoming aware of the breach
  • 13% of cases did not become aware of the incident for over a year
  • 4 entities took more than 12 months from when they became aware of the breach to notify the Commissioner.  That is a matter of significant concern.  It will be interesting to see if the Commissioner does anything about such a flagrant breach of section 26WH of the Privacy Act 1988.
  • contact information was involved in the breaches on 331 occasions while identity information occurred in 217 cases.

While the Report and statistics contained within it are quite instructive it should taken with caution.  It should not be regarded as a complete, or even completely accurate, picture of what data breaches have taken place and the number of records affected.  The current Data Breach Notification Scheme as the Attorney General noted, is hopelessly ineffective.

The media release provides:

The significant impact of recent data breaches on millions of Australians and the findings of the latest Notifiable data breaches report released today stress the need for organisations to have robust information handling practices and an up-to-date data breach response plan.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said the widespread attention on data breaches and statistics for January to June 2022 show areas that require organisations’ immediate action.

“Recent data breaches have brought attention to the importance of organisations securing the personal information they are entrusted with and the high level of community concern about the protection of their information and whether it needs to be collected and retained in the first place,” Commissioner Falk said.

“I urge all organisations to review their personal information handling practices and areas of ongoing risk identified in our report. Only collect necessary personal information and delete it when it is no longer required.

“Organisations should also ensure they have a robust data breach response plan, so in the event of a data breach, they can rapidly notify affected individuals to minimise the risk of harm,” she said.

The Office of the Australian Information Commissioner (OAIC) was notified of 396 data breaches from January to June 2022, a 14% decrease compared to July to December 2021. Read the rest of this entry »

Medibank’s travails continue with hacker posting stolen data on line…a salutary lesson that preparing for ransomware is better than cleaning up afterward. But having a remediation plan is still important. Medibank shows what happens when there isn’t one.

November 10, 2022

Hackers posting data on line when the ransom demand for their return fails is nothing unusual.  And Medibank has refused to pay the ransom demanded of it.  That is consistent with Government advice.  Forbes reported that 92% of those who pay a ransom do not get their data back.  Last year Kaspersky reported that 56% of ransomware victims pay the ransom but only a quarter get their full data returned. Where does the truth lie.  Somewhere that is unlikely to be found. The figures are necessarily spongy given there is a marked reluctance by organisations and businesses to admit to paying ransoms. Surveys of consumers and companies are at best educated guesses.

With Medibank refusing to pay the ransom the Russian hackers have posted some of the data on line.  This is hardly unusual.  It is an evolving story but the Australian has a good summary with Medibank hacker starts posting stolen data.  It is a story that is getting wide coverage across Australia, with the Sydney Morning Herald, the Guardian, ABC and the Australian Financial Review, just to name a few outlets. It has also received wide overseas coverage such as by the BBC.

But this data breach and the unfolding torment is part of a worldwide phenomenon.  On 31 October Bleeping Computer reported that hackers were selling access to 576 corporate networks for $4 million. Other cyber attacks in the last week included Boeing Subsidiary Jeppesen’s Services Hit By Cyberattack, a cyber attack caused trains to stop in Denmark, a Ransomware attack on Osaka General’s network stalled critical surgeries & daily operations and  Europe’s Biggest Copper Producer Hit by Cyber-Attack to name but a few. These incidents highlight the chronic and worldwide nature of the problem.  In most of these cases hackers gained access because of poor data security practices. 

The hackers in the Medibank data breach are following the digital extortion business model where the hackers escalate the attack in order to force payment from victims. The Ransomware extortion model commonly begins as a classic ransomware attack, demanding payment for encrypted files while similtaneously the hackers exfiltrate data from the victim. If victims fail to pay within the allotted time, or opt to recover encrypted data through backups, criminals threaten to release confidential data publicly. Some attackers even auction confidential data to the highest bidder on the dark web..

The extortive blended attacks can circumvent backup strategies because they essentially extort the victim into payment even if backups are in place.
Ransomware is one of cybercrime’s strongest business models.  It is far more popular and effective than trojans, phishing, distributed denial-of-service (DDoS) and cryptojacking.
When a computer becomes infected with ransomware, the malware often generates network traffic by sending encrypted system information to a command-and-control server.. Normally, ransomware contains the public key needed for encryption and uses it locally without fetching from a remote server.

Typical actions taken by most ransomware variants include:

  •  terminating a list of hardcoded processes and services that may interfere with file encryption such as databases, security
    applications and backup services. Some variants also search for and attempt to uninstall known antivirus programs or other
    security applications
  • preventing and disable system restore features that may be enabled by the operating system.

Unlike other malware, most ransomware infections don’t require administrative privileges. The malware relies Read the rest of this entry »

ABC breaches privacy obligations in broadcasting a person’s profile in a report about dating app scams

November 3, 2022

Today the Australian Communications and Media Authority published its findings that the ABC has breached its privacy obligations in disclosing the identity of a person who used a dating app.  Beyond finding a breach and making recommendations there is no other sanction available to the ACMA.  Another example of why a stautory tort relating to the interference with privacy is long overdue.

ACMA’s  media release provides:

The Australian Communications and Media Authority (ACMA) has found the Australian Broadcasting Corporation (ABC) breached the privacy requirements in the ABC Code of Practice by broadcasting an identifiable person’s profile in a news report about dating app scams.

The Newshour segment, which was broadcast in May 2021, included footage of a screen scrolling through a dating app showing the profile of a person, including an image of a face, age and first name.

The ACMA investigation found that although the dating app profile was shown fleetingly, the image of the face was repeated twice in the news report and the person was identifiable.

ACMA Chair Nerida O’Loughlin said having personal information broadcast on television can be distressing for the individual in question.

“Media intrusion into a person’s private life without consent must be justified to be in the public interest,” Ms O’Loughlin said.

“There is a clear public interest in reporting on online scamming, however there are limits to the type of personal information that should be disclosed in a news report. In this case, there was no justifiable reason to identify the person and the ABC did not undertake adequate measures to ensure their privacy.”

The ACMA’s enforcement powers when it finds the ABC has breached its Code are limited to recommending the ABC take particular actions. In this case, the ACMA did not consider this necessary as the ABC had already removed the footage from its archive and advised that the ACMA finding will be made available to relevant ABC News staff. 

FACTS

The Australian Broadcasting Corporation (the ABC) broadcast the News Hour on 11 May 2021 at 5:00 pm.

The Report was comprised largely of the studio presenter and expert guest discussing the ramifications of the rise in online scamming appearing on dating apps. A montage sequence of people using mobile phones to view dating apps, with faces and names of subscribers to those dating apps appearing on-screen, punctuated the discussion.

In the Report, the relevant footage was Read the rest of this entry »

A recent late announcement of a data breach by Australian Clinical Labs will not be the last. The latest is the Australian Defence Department caught up in a ransomware attack. Expect more announcements before Australian privacy laws are amended

November 1, 2022

The ABC in Australian Clinical Labs accused of ‘sitting on’ hack that saw patient data posted to the dark web reports on Australian Clinical Labs having bneen hit by a data breach in February but only advised patients five months later.  This is not an isolated event.  Bleeping Computer reports in See Tickets discloses 2.5 years-long credit card theft breach that hackers had accessed customers payment card details via a skimmer on its website.  The breach was detected in April 2021 but the malicious code was only fully removed on 8 January 2022.  After further analysis that See Tickets finally concluded on 12 September 2022 that the hackers made accessed customer credit information including full names, .  An internal investigation determined that the initial breach occured on 25 June 2019.  In total an exposure of 2.5 years. It is not uncommon with sophisticated attacks that it can take considerable time to detect an intruder, particularly if a company does not have software designed to monitor unusual activities within a site.  But 2.5 years indicates a woeful level of cyber security.

The latest significant data breach has been a ransomware attack on the Department of Defence, specifically a communications platform used by the military.  Hackers accessed the ForceNet service which is operated by an external information provider.  It is reported in Australian Defence Department caught up in ransomware attack.  Given the function of the platform communications between the current and former Australian defence members have been compromised.  The dataset extends back to 2018.  It will be interesting to determine whether data was retained long after it should have been deleted.  That is a constant problem in Australian data management. I am not surprised the hackers targeted an ICT contractor.  Third party providers are often the weak link for organisations.  They are commonly Read the rest of this entry »

ISO 27001:2022 is released. Given the data breaches in Australia and generally poor privacy governance it comes at the right time.

October 29, 2022

ISO 27001 is a global specification for an information security management system (known as ISMS). It is the standard for effective information management. Properly implemented it helps organisations to avoid security breaches. An ISMS is a framework of policies and procedures relating to  that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.

The new ISO 27001 has just been released.  It is called ISO 21001:2022. This version introduces significant changes in the way organisations manage information security. The Standard was last revised almost a decade ago.

The standard  is no longer divided into 14 control categories.  It is now split into four ‘themes’:

  • organisational,
  • people,
  • physical and
  • technological.

The total number of controls has decreased from 114 to 93. This is because many of its controls have been reordered and merged. Under the new ISO 27001:

  •  35 controls are unchanged,
  • there are 11 new requirements which  are:
    • threat intelligence
    • information security for use of cloud services
    • ICT readiness for business continuity
    • physical security monitoring
    • configuration management
    • information deletion
    • data masking
    • data leakage prevention
    • monitoring activities
    • web filtering
    • secure coding

Read the rest of this entry »

Government to fast track privacy laws in response to Medibank data breach….policy on the run?

October 26, 2022

Governments of both persuasion have avoided privacy law reform for over 20 years.  A Coalition Government made the most minimal changes to the Privacy Act in 2001 to cover the private sector. The ALP Government made relatively few amendments in 2012 in response to the mammoth and comprehensive Australian Law Reform Commission Report on privacy handed down in 2008. For the last 6 years the previous Coalition Government sat on another Australian Law Reform Commission Report and then instituted an internal Attorney General’s review of the Privacy Act.

Medibank provided an update yesterday about the cyber attack in October.  The data exfiltrated is more extensive than previously known.  It now includes Medibank customer data of both current and previous customers. The statement provides:

There has been a further development in Medibank’s cybercrime event, which is subject to a criminal investigation by the Australia Federal Police (AFP).

It has become clear that the criminal has taken data that now includes Medibank customer data, in addition to that of ahm and international student customers.

This is a distressing development and Medibank unreservedly apologises to our customers.

Here is what we can update

We have received a series of additional files from the criminal. We have been able to determine that this includes: Read the rest of this entry »