To pay or not to pay

Towards the end of last year, Faster Networks wrote about a string of cyber attacks that were targeting Australian corporate businesses that specialised as individual service providers such as telcos, like Optus and health insurers, like Medibank. 

The Medibank fall-out was significant, financially and reputationally. However, unless you were directly affected as a customer, the bottom line for Medibank, according to their company half year results was relatively unchanged. The story went like this…. 

On October 11, 2022 a criminal hacker used a stolen username and password from a third party to access Medibank’s internal systems through an insecure firewall, let’s call that a vulnerability.  Once the hacker was in the network they accessed further credentials and obtained data without interrogation or limits until a security alarm was raised and the technology department shut off pathways. By then, the hacker, presumably, REvil – a Russian hacking group, had obtained some hundreds of thousands of records, 200GB compressed to 5GB with the intention of publishing allotments on the dark web unless ransom payments were made immediately. 

As we know now, Medibank which was supported by the Australian Federal Government at the time, did not pay the $15.6m ransom. The Office of the Australian Information Commissioner (OAIC) is part way through an investigation that started in December 2022, that “will also consider whether Medibank took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles”.

When the hackers realised that Medibank were not going to fall prey to their ransom request they dumped the entire file of compressed data on the dark web with a message of “Happy Cyber Security Day”.  At which point, Medibank released a statement to alert customers to the dumping of files and what action customers could take for information and support. 

Medibank will be fined somewhere in the vicinity of a few million dollars. At the time of the attack the Australian government could fine corporate entities that have succumbed to a privacy breach $2.2 million however since that time fines have increased to a maximum penalty to $50m where applicable, meaning that necessary steps were not taken to protect customers from a data breach. 

The Medibank scandal is not over. Baker Mackenzie law firm have launched a class action lawsuit stating that up to 10 million customers were effected by this privacy breach, claiming that it has caused “loss” and “distress” amongst customers and they are seeking compensation. 

To add to Medibank woes their stock has taken a slight south turn with the recent retirement announcement of John Goodall, Medibank Group Executive Technology & Operations but really the health insurer is not suffering more than the rest of the market despite the technical drama, government scrutiny and litigation.