Alright, so the Australian government is taking action, and here’s why. A while ago, cybercriminals breach none other than Optus and managed to steal data belonging to 2.1 million of its current and former customers. Now, we add 3 million+ to those as Australian insurance firm Medibank is the current confirmed target.
Yes, the company disclosed that the sensitive data of all of its customers had been unauthorizedly accessed following a sophisticated ransomware attack on its systems.
Emphasis on the “personal information of all of its customers,” as it shows how impactful this attack is. How is Medibank handling this? What is the Australian government’s stance? Here’s everything you need to know.
Medibank Breach – “All” of the Information Harvested
Threat actors are present all over the world, targeting big companies with new techniques every now and then. Lately, they’ve been very active, especially in the Land Down Under.
Australia has been witnessing data breaches regularly and Medibank is the latest victim of these ongoing campaigns. At first, there was no evidence that any of the customers’ data was accessed or exfiltrated.
However, a few days later, the ransomware group behind the attack made contact with the company and provided a sample of 100 stolen files out of an alleged 200GB of stolen data.
The attackers claim that the information includes names, addresses, birthdates, Medicare numbers, policy numbers, and phone numbers.
Not only that, but they also have everything on the location of where the customer received medical services, and codes relating to their diagnosis and procedures. On October 26th, 2022, Medi bank released the following update:
Update at 9.30 am – Wednesday, 26 October
“Since yesterday’s announcement, our cybercrime investigation has now established that the criminal had access to:
- All ahm customers’ personal data and significant amounts of health claims data.
- All international student customers’ personal data and significant amounts of health claims data.
- All Medibank customers’ personal data and significant amounts of health claims data.
As previously advised, we have evidence that the criminal has removed some of this data and it is now likely that the criminal has stolen further personal and health claims data.
As a result, we expect that the number of affected customers could grow substantially.
Our priority is to continue working to understand the specific data that has been taken for each of our customers so that we can contact them directly to let them know.”
This is yet another high-profile breach in the Australian region and the government will stand by no more. Now, it is working to introduce stricter data protection laws.
The bill goes by the name of Privacy Legislation Amendment (Enforcement and Other Measures) 2022. Once applied, it will increase the maximum penalties applied under Privacy Act 1988 for serious privacy breaches.
Currently, the penalty is $2.22 million. When the Bill is official, everything will be based on the following:
- $50 million;
- three times the value of any benefit obtained through the misuse of information; or
- 30 percent of a company’s adjusted turnover in the relevant period.
Everything is included in this official proposal that the Australian Government published on Saturday.
It’s Only Getting Tougher
Australia isn’t the only country that has had multiple breaches lately. Cybercriminals are everywhere, creating new techniques to guarantee high breach success rates.
Even the biggest tech companies are falling victim to such attacks and more are bound to suffer the same fate. Companies should tighten their security measures as much as they can.
If the breach occurred, they should inform the customers immediately as further attacks can be performed with the stolen data. That way, they can at least be well prepared.
