ITP Techblog

A nightmare scenario is currently playing out for Australian health insurer Medibank, which last month saw details of up to 9.7 million customers obtained by hackers.

Yesterday the hackers started publishing data to the dark web after their demands for Medibank to pay a A$9.7 million ransom, $1 for every customer, were rejected. The most sensitive data the hackers have begun releasing includes private health data. Around 500,000 Medibank customers are believed to have had private health data exposed in the hacking attack.

Now the hackers seem to be willing to extract as much emotional blackmail as possible in pushing for a payday, releasing data under a “good-list” and “naughty-list”.

Screenshot of a blog post outlining the hackers' plans to leak Medibank records

According to the Sydney Morning Herald, cybersecurity experts who have viewed the data confirmed that it contained customers’ names, postcodes and data on health treatment for issues such as cocaine and other addictions.

In a blog post published on Tuesday, the hackers claimed that “data will be publish [sic] in 24 hours”. P.S. I recommend to sell [sic] medibank stocks.”

“Added one more file abortions.csv ...,” the hackers wrote in a blog post. The leaks could go on for months, though with Medibank following the Australian Government’s advice rejecting ransom demands, the chance of a payout seems remote and hacked data largely loses its value to hackers once it has been released.

Tweet by Troy Hunt, Creator of haveibeenpwned.com and Microsoft Regional Director and MVP.

The Medibank hack and the leak of data in another massive breach at telecoms company Optus, expose flaws in data retention policies at major Australian companies.

Focus on data retention

“We need to move beyond thinking about how we protect critical data sets to a strategy of data minimisation,” Professor Carsten Rudolph, from the Department of Software Systems and Cybersecurity, at Monash University said back in late October, when the breach was first made public.

“For a health insurer, this would mean to critically analyse what data is actually required to deliver the service. Which type of data needs to be readily available? What data can just be used for a shorter process without actually retaining it etc. Further, critical customer health information should either not be stored by an insurer at all, or if it is required, it should not be easy to link it to the customer’s identity.

“There are some measures that can be taken to prevent or mitigate such incidents in the future. The most important one would be to minimise data retention. Also, the data that is actually collected can be encrypted so that the number of data requests can be controlled and malicious activities can be stopped before a complete database is syphoned off. In conjunction with these measures laws or regulations should be established to enforce lesser data collection and encryption of data once it is collected. 

“We should also review data-sharing approaches. Currently, data sharing protocols as enabled through the Consumer Data Right framework do not give consumers the option to decide how long their data is stored. It merely requires the company to seek sharing permissions and then the consumer can either give consent or decide for their data not to be shared. Consumers should be empowered to make informed decisions, customise sharing permissions and should be able to enforce the deletion of data.”

With New Zealand’s own Privacy Act requiring agencies minimise the amount of data they hold on customers, and with a Consumer Data Right in development here too, the focus on data retention in the wake of the Aussie hacking attacks is just as relevant here.