Medibank cyber attack shows change needed on data storage, experts say
The massive cyber attacks on Medibank and Optus that have shocked Australia show the government must change how it deals with data, a cyber fraud expert said.
The size of the Medibank data heist grew dramatically on Wednesday when Australia’s largest health insurer admitted that all its 3.9 million customers were affected.
Given the explosion of data breaches governments needed to “backflip” on how they deal with it, and focus on the risk of data theft rather than focusing on individuals suspected of terrorism or other crimes, said Professor Richard Buckland, professor in cyber crime at the University of NSW.
“Because of the risk of fraud that would hurt the banks as well as consumers, the data of all the hacked people was shared with the banks” [following the Optus hacking], Professor Buckland said.
The government had to change the privacy laws to allow Optus to share information about Medicare, passport numbers and driver’s licences with the banks.
“It’s mad as that data is toxic. Instead of deleting it, it’s being spread to more places where it can be lost.”
State governments are now planning to set up central data bases “where they keep a track of everyone who has been hacked”, Professor Buckland said.
The federal government also demands many agencies and businesses store data for long periods of time.
“The problem [of hacking] is caused by people collecting data.
“So why would someone say the way to solve the problem is to collect more data?” Professor Buckland said.
The danger with collecting more and more caches of data is that “every second it is there and for every extra person that has it, there is another chance for it to be lost,” Professor Buckland said.
The Medibank data breach is particularly serious because “medical data is considered highly personal both by individuals and the government for very good reason”, senior lecturer in cyber security and computing at the University of Melbourne, Shaanan Cohney said.
Details such as mental health status, gender and gender assignment surgery or difficult and dangerous health conditions can be used to damage careers, credit worthiness and even personal relationships.
“Using that sort of information provides very good leverage for a nasty person intent on personal blackmail. The head of a student union has talked about a couple of LGBTQI students who would be in trouble at home [in a socially conservative country] if their parents or authorities became aware of their status,” Professor Buckland said.
Health insurance data could also be used to provide the necessary information to lodge false Medicare claims.
Individuals are collateral damage
Although some of the personal damage could be the result of targeting individuals, more often it is likely to be the result of collateral damage resulting from criminals dealing with the mass of information they have taken in their cyber raids.
“One way cyber criminals operate is to ransom the data and release it if the ransom is not paid,” Dr Cohney said.
Another possibility is that the ransom is not paid, so a subset of the data is released to show they are serious, he said.
Medibank has not stated if it will pay a ransom and Optus did not release that information either.
However, Professor Buckland said the evidence appeared to be that Optus had done so.
“We don’t know if Optus paid a ransom but let’s say it is miraculous what the attacker did in voluntarily giving up the data they had got and promising they had deleted it all.
“It’s exactly what someone would do if they were paid the ransom – it’s a remarkable coincidence,” Professor Buckland said.
Can you pay?
The legality of Optus or Medibank paying ransoms would depend on the jurisdiction in which they are domiciled – Optus is a Singapore-owned group – and the nature of the outfit demanding the ransom.
It would be illegal to pay a ransom to terrorist groups or other entities under sanction from governments.
Cyber criminals choosing to release stolen data use sites that are known as ‘dumps’. They are generally situated in countries with governments that are corrupt, or not friendly to developed nations.
Once data goes into these dumps the problem for those listed can become worse, Dr Cohney said.
“The data is potentially valuable to other criminals who may further attempt to ransom organisations or individuals.”