Will anything change after the Medibank hack?
Optus boss Kelly Bayer Rosmarin has been helping guide the health insurer by sharing her ‘learnings’ from an earlier data breach that exposed highly personal customer information.
Medibank customer Nathan Williams is nervous about what he doesn’t know he doesn’t know about having his personal information stolen.
The only communication the small business owner has received about having his private data stolen is one email from Medibank – and just one from Optus, another target for hackers where he also happens to be a customer – to say there had been a breach.
It’s been a shocking two weeks for Medibank. The nation’s biggest private health insurer said last week it had stopped a ransomware attack, then admitted some 1000 customers may have had their data stolen, before revealing on Wednesday that all 4 million of its current customers and as many as 1.5 million former clients may have been exposed to Russian hackers.
“I still don’t know what’s been leaked, and what they’ve actually got of mine,” says Williams who owns the Sydney brow salon Parlour B.
Medibank shares went into a tailspin after Wednesday’s announcement, shedding $1.8bn that day alone.
Williams shouldn’t take it personally that he feels left in the dark. Medibank and the
government agencies trying to track down the hackers don’t appear to know yet whether the
hack includes Medicare numbers, date of birth, addresses and even bank details.
Same goes for Optus, where 2.1 million customers may have had information exposed, including the above – along with passport and drivers licence numbers.
Friends in hard times
Medibank chief executive David Koczkar told The Weekend Australian that his counterpart at Optus, Kelly Bayer Rosmarin, had reached out to him in Zoom calls having suffered a similar data breach only a few weeks earlier.
“The unfortunate reality is that any company or individual can have their data compromised … This is a Team Australia issue,” says Koczkar. “I’ve spoken to Kelly. We’ve had several discussions and they have been warm and supportive.”
Bayer Rosmarin told The Weekend Australian: “Medibank has reached out to Optus following their cyber incident, and Optus has been sharing learnings extensively across a range of areas with a focus on helping impacted customers and supporting Australia’s defence against cyber criminals.”
Not everyone is feeling warm and supported, however. Customers in Australia have no direct recourse to sue Medibank, Optus, or any other company that loses their data, and many are
angry.
Unlike the US, individuals in Australia are unable to pursue legal action a company for breaching their privacy. They could potentially argue misrepresentation, misleading advertising, or breach of contract, but these would be difficult cases, and likely to be on a limited liability basis.
In a hypothetical sense, this would mean that if Nicole Kidman or Chris Hemsworth had a deeply personal and career damaging medical procedure done that was revealed through a hack in Australia, there would be no clear action they could take against
the company that allowed their private information to become public.
John Swinson, who specialises in technology law at the University of Queensland, says this needs to change. Professor Swinson, who has also been caught up as a customer in both the Medibank and Optus hacks, is angry about both companies’ failures to protect his deeply personal information and his lack of ability to take them to task for it.
Instead he can only complain to the Australian Information Commissioner, or to the Australian Prudential Regulation Authory in this instance.
“I’m a Medibank customer and I’m super upset. I expect them to keep my information confidential. Let’s assume I had psychiatric issues or a sexual issue or serious medical issues, I don’t want people to know that. It’s not negotiable,” he says.
Medibank does not say in its privacy policy that it will keep people’s information confidential,
only that it will try to do so.
“We aim to store your information securely and have a range of security controls in place (including physical, technical and procedural safeguards) designed to protect your personal information,” it reads.
Professor Swinson says all customers should be able to expect more from big companies, including basic security steps such as two factor authentication.
The government has announced plans for changes to the Privacy Act to increase penalties from $2.2m to $50m, but Professor Swinson says the debate needs to pivot from the government using a bigger stick – to giving customers the right to fight back when a company has failed them.
Privacy laws need to be upgraded even though some businesses won’t like the extra regulation, Professor Swinson believes. In the US, the Securities and Exchange Commission is has put forward a paper that leaves boards on the hook in the case of privacy breaches.
The Privacy Act needs to be tightened up, enforced, fines increased, and individuals need to have the right to sue for compensation, rather than just the government receiving payment of fines, Professor Swinson says.
“If you’ve been hurt physically, you can sue the person who hurt you. If you’re with a company that allows a person’s data to be stolen by Russian criminals then you should be able to sue that company as well. If not, why not? Privacy and data about me is my property. It’s not the government’s.”
Attorney-General Mark Dreyfus has introduced a bill that would increase fines to $50m or three times the value of any benefit from the misuse of information or 30 per cent of a corporate’s domestic turnover if a value can’t be ascribed.
While welcoming these moves, Professor Swinson says the government needs to step forward and be enforcing the law regularly and proactively, including auditing businesses to make sure they are complying with the law and prosecuting businesses before massive hacks occur.
Over exposed
What October’s data hacks show, to anyone who missed the memo, is that private information can and will be stolen.
So inevitable is the likelihood of hacking that Lloyd’s of London recently said that from next year it would stop insuring against state-sponsored cyberattacks because the losses have the potential to “greatly exceed” what it can absorb.
Maril Vernon, a senior security engineer for cloud platform Aquia, says if the “bad actor” is so motivated, they will spend months researching employees, writing custom malware, and co-ordinating physical and remote attacks.
Vernon says it is frustrating that Medibank has not revealed more information about how its hack occurred, beyond one “high-level” person having their login credentials exposed, and says this secrecy is usually due to being “embarrassed” rather than for investigative reasons.
“Giving us the indicators of compromise on the methods of initial access, pivot, discovery and collection, and lateral movement would enable other healthcare organisations to check their logs and environments for similar IoCs and potentially proactively thwart or contain a similar attack,” Vernon says.
It might come down to cyber hygiene like using minimum secure levels of encryption for data while an executive is in transit. It might be increased security awareness training and phishing simulations. It might be overly permissive group policies such as a marketing executive having unnecessary access to sensitive critical assets and customer data.
The cybersecurity principle of “least privilege” needs to be better enforced from an administrative control level at the identity and access management processes, says Vernon.
According to Robert Potter, chief executive of Internet 2.0, companies themselves need to reconsider how much data they retain.
Only a few years ago many companies were busy trying to monetise the data they collected from customers but there has been a massive pushback against this, particularly in the US.
So much so, one of Apple’s biggest global advertising campaigns this year has been one promoting its commitment to protecting people’s privacy to prevent them being snooped on online.
In Australia – possibly due to the limitations of the Privacy Act – the messages around personal and corporate data security have not been strong.
Potter believes this will now change and says cybersecurity is now “on every business’s
radar.” “Companies are going to want to be holding as little data as they can,” says Potter of the responses by corporate Australia to the Medibank and Optus hacks.
“In the case of Optus, it seemed a case of data-is-money. I’d like to see companies collecting as little data as possible. Bad guys will keep stealing if we keep making it as easy as it is.” To be fair, in the case of Medibank, Koczkar says it only kept personal information it was required by the government to do.
The bottom line
Stopping hackers is expensive business.
The big four banks each spend tens of millions on cybersecurity each year. This would be in
part because they can afford to – having posted cash earnings of $14.4bn for the 2022 half year – and also because they have a cultural history of protecting peoples’ money.
“Once upon a time we locked it in bank vaults, and now it’s online,” says one bank executive
who did not want to be named.
Medibank has not said how much it spends on cybersecurity but has said the current hack will cost between $25m and $35m initially and confirmed it does not have insurance against data hacks. What it will cost is still unclear. Australia’s biggest private health insurer can’t be sued by individuals who have had their data stolen but it may be subject to a class-action lawsuit by shareholders.
Analysts also predict the company could lose many customers as a result of the hack and
incur costs from fines, ransom demands and remediation work.
Citi moved its Medibank target price from $4 to $3 with a neutral from a buy on the
stock. “Will consumers now view their data as likely to be safer with Medibank moving forward than competitors, given Medibank is likely to strengthen its defences following the
attack or will there be a mass exodus of customers distraught at the information that
has been released into the public domain and as trust evaporates,” wrote Citibank brokers in a note to clients. “We expect some, likely considerable, reputational damage which could have long lasting impacts. We make an assessment of this by now allowing for a reasonable amount of customer attrition in our estimates.”
UBS was more bullish on the stock, retaining a buy with a target price of $3.70 per share although it reduced its profit forecasts and noted “that potential brand damage and market share loss are key risk factors”.
While it might be a wild ride for shareholders of Medibank and an anxious time for customers
of both Medibank and Optus, what of the CEOs at the top at the time of the hacks?
Potter says handling a hack well is an exercise in good public relations and he isn’t sure either chief executive completely nailed it, with Optus saying it was sophisticated when it turned out not to be, Medibank saying it wasn’t much data, when it was.
“It’s a trust breaching exercise,” says Potter. “You won’t get fired if you have a hack, but you will if you handle it poorly.”
