In the third major reported data breach in the past month, hackers have threatened to release the personal data of Medibank customers unless their ransom demands are met.
The extortion demand has the potential to expose up to 3.9 million Australians to the possibility of fraud and identity theft, and the hackers say they will release the data of 1000 of the health insurance provider’s ‘most prominent customers’ as a ‘warning shot’ if they do not get what they want.
“[W]e’ve found people with very interesting diagnoses. And we’ll email them their information”, the hackers are reported to have stated.
Medibank has not released details of the specific demands but says it is taking the threat very seriously.
Threat to release confidential health information
Medibank, which has almost 4 million customers and provides a range of services including health insurance, health management as well as telehealth services for government and corporate customers, first acknowledged the data leak last week, saying initially that there was no evidence sensitive customer data had been accessed.
The cyber attack follows the biggest in Australia’s history which affected Optus customers in late September, and another which affected Woolworth’s My Deal website earlier this month.
It’s the reality of what cyber experts have been warning for a long time – that Australia is ‘easy pickings’ for cyber criminals. It also shows the very real danger of companies having ‘reactive’ policies and procedures, rather than doing more – and investing more – in proactive protection strategies.
Government promises ‘urgent law reform’ – but is that enough?
The issue has thrust data security into the spotlight with the Federal Government promising urgent reform, which could increase fines for privacy breaches, but this is cold comfort for those Australians who have been impacted. It’s akin to “shutting the gate well after the horse has bolted.”
In addition, fines are paid to the Government. What many customers might prefer to see is some form of personal compensation for the duress these types of incidents cause, and the time and effort they have to spend trying to mitigate the damage and ensure their own protection.
Most of us are savvy enough to know that we need to regularly change our passwords and login information, be wary of unusual links, be careful about what we post online in social media platforms, and keep a watchful eye on our bank balances for abnormal transactions.
Many of us take personal responsibility for our online activity and do what we can to protect ourselves, and yet we are expected to hand over data to companies and organisations and ‘hope’ they are capable of doing the same.
Vulnerable Australians affected by the ‘digital divide’
However, there are a large number of Australians who are particularly vulnerable because of Australia’s significant ‘digital divide’.
The Australian Digital Inclusion Index (ADII, 2021) shows 1 in 4 people in Australia are still digitally excluded, meaning they don’t have access to regular stable internet. These are typically low-income earners, people with low levels of education and employment, the homeless, those living in some regional areas, people aged over 65 and people with a disability.
Without access to the internet, or the skills and confidence to use it, these people are particularly at risk because they are unable to take their own remedial steps.
The impact of identity fraud
Identity Fraud can take a person years to recover from. It has a number of very serious potential consequences too, particularly if someone uses the stolen identity to commit a crime, meaning an innocent person can find themselves accused of something they did not do.
As the digital age has evolved, rapidly, data has become exceptionally valuable to companies, so perhaps it is no surprise that the hackers are trying to extort large sums of money in exchange for the data. They purport to have 200 gigabytes of information including customer contact details, confidential health information and credit card details, but there is no guarantee that even if they are paid, they will return data and simply disappear. It’s unknown too, whether they have already sold the data elsewhere before demanding demands from Medibank.
Cyber attacks increasing in frequency and sophistication – is Australia prepared?
However, the Medibank threat has gone one step further than then two previous large-scale breaches, with the hackers saying they intend to find the most ‘high profile’ people on the database, including politicians, actors, bloggers, activists, and email them their information to prove they have the data, and to put the pressure on negotiations. They have allegedly said they will release the information publicly if their demands are not met.
For customers, who have no doubt completely lost their trust in the organisation completely, particularly after its early assurances that no sensitive data was compromised or lost, there is a stressful wait ahead to see what comes next and how individuals might be able to take their own action to address the issue.
The Australian Cyber Security Centre has warned in recent days that this may only be the beginning because cyber attacks are not only increasing in frequency but also in scale and sophistication.