The Australian Federal Police has revealed that those responsible for the data breach of Australian private health insurer Medibank are in Russia.
On 13 October, Medibank paused trading in the Australian Securities Exchange and announced there had been a “cyber incident”. At the time the company believed no data had been accessed and that the main issue was at its ahm and international student policy management units.
But what started as the second largest breach in Australia’s history slowly unraveled into a potentially much more harmful breach than the infamous Optus breach, which impacted a third of the Australian population.
On 7 November, more than three weeks after the incident, Medibank informed that names, date of birth, phone number and email addresses of 9.7 million current and former customers had been accessed. Other documents accessed for some included Medicare numbers and passport numbers.
What makes this worse is that, because Australian regulation requires insurers to retain certain information from current and past customers for seven years, highly sensitive data of 480,000 people was accessed in the Medibank breach, including their service provider name and location, where the customers received certain medical services, and codes associated with diagnosis and procedures administered.
“Our intelligence points to a group of loosely affiliated cyber criminals, who are likely responsible for past significant breaches in countries across the world,” AFP Commissioner Reece Kershaw said in a press conference.
Kershaw said the cyber criminals are operating like a business with affiliates and associates, who are supporting the business, and that some affiliates are believed to be in other countries.
“Everyone involved in this attack is a focus of the ongoing investigation through the AFP-led Operation Pallidus. We believe we know which individuals are responsible, but I will not be naming them,” Kershaw said.
The commissioner said the AFP will talk to the Russian law enforcement. This is expected to be facilitated by the Australian INTERPOL National Central Bureau, which AFP is responsible for.
The situation escalated after the cybercriminals asked Medibank to pay a ransom for the data, giving the insurer 24 hours to pay before they would start releasing the information. Medibank refused to pay the ransom, an action supported by the Australian government and authorities. According to the ABC, the “hackers claim they demanded a US$9.7 million ransom.”
This week the Prime Minister Anthony Albanese and the Minister for Cybersecurity Clare O’Neil, who deemed the Optus breach a “basic” breach but made no such claims about Medibank, both revealed to be Medibank customers.
Medibank has been informing its customers and former customers via email of any updates, as well as shareholders and media.
Australia has been the target of too many breaches
Since the Optus data breach in late September, which exposed the data of 9.8 million people, more than a handful of data breaches have slowly been revealed.
Two weeks after Optus data breach came to light, a small data breach related to Australia’s largest telecommunications provider, Telstra was also revealed. The breach was small and was suffered by a third-party service provider, affecting Telstra staff only. This included first and last names and employee work email addresses from 2017.
Not long after, MyDeal, part of supermarket chain Woolworths Group, revealed a compromised user credential was used to access its customer relationship management system exposing the email addresses of 2.2 million customers.
Wine reseller Vinomofo was next. The company emailed customers informing of a “recent cybersecurity incident” where its database was accessed on a testing platform. The information accessed included name, gender, date of birth, address, email and phone number.
These sparked a consultation on the amendment of the Privacy Legislation which received 31 submissions including from associations representing some of the biggest technology vendors in the world.
One of the changes proposed by the federal government is an increase in civil penalties “for serious or repeated interferences with privacy to not more than the greater of: A$50 million, three times the value of any benefit obtained through the misuse of the information, or if the value of the benefit obtained cannot be determined, 30%of an entity’s domestic turnover in the relevant period.”
The maximum penalty sits currently at A$2.2 million and the proposal of the substantial increase, which is supported by the Office of the Australian Information Commissioner (OAIC), is to help “incentivize compliance and ensure that penalties for privacy breaches act as a deterrent and are not seen merely as the cost of doing business in Australia,” an OAIC spokesperson said.
It is important to note that since the Notifiable Data Breaches scheme was introduced in 2018, no penalty has been applied with the OAIC lodging just one civil penalty proceedings against Facebook in the Federal Court in March 2020, alleging the social media platform committed serious and/or repeated interferences with privacy in contravention of Australian privacy law. Those proceedings are still underway.
Shortly after the AFP announcement, the Australian federal government announced a joint operation between the AFP and the Australian Signals Directorate to “to investigate, target and disrupt cyber criminal syndicates with a priority on ransomware threat groups”.
In an interview to the ABC, cybersecurity minister O’Neil said the “task force” with “100 of the best, most capable cyber experts” in Australia. “We are offensiviley going to find these people, hunt them down and debilitate them before they can attack out country.”
Copyright © 2022 IDG Communications, Inc.