Special Edition: What went wrong at Medibank?

RecordPoint CEO Anthony Woodward and Head of Product Kris Brown discuss new legal action brought against Medibank by the OAIC, which carries a maximum theoretical penalty of a AU $21 trillion fine, after a 2022 data breach that exposed the personal information of more than 9 million Australians.

‍

They also discuss:

• What is Medibank, and why is its 2022 data breach making headlines now?

• The extent of the breach and the specifics of the customer data accessed

• The methods hackers used to access customer information  

• Why the OAIC chose to fine Medibank and why the proposed fine is so high  

• Steps organizations can take to reduce the risk of a breach like Medibank’s

• Why privacy needs to be prioritized in the board room  

Resources:

• 🎧 FILED S2E4: Companies must focus on reducing risk, not just improving compliance | Dr Miles Ashcroft, RecordPoint

• 🎧 FILED S2E3: Why organizations must be proactive in their cybersecurity approach | Eric Avigdor, Votiro  

• 📨 FILED Newsletter: A US federal privacy law may actually happen this time, but does it matter?  

• 📏 Benchmark: How much PII does the average organization store?

‍

Transcript:

Anthony Woodward: Welcome to FILED, a conversation with those at the convergence of data privacy, data security, data regulations, records and governance. I'm Anthony Woodward, CEO of RecordPoint and with me today is my co-host Kris Brown, RecordPoint's VP of Product. How are you Kris?

Kris Brown: Mate, I'm excellent. We have got some massive news to talk about today.

Some big things are happening and I'm really excited, but we're actually talking about a very hot topic that's happening here in Australia at the moment, the Medibank breach. Now, the reason why we're talking about that, that is that the Australian Privacy Commissioner, Carly Kind, has been interviewed on the ABC, one of our national broadcasters.

We're going to play you a quick clip before we get started, then we're going to sort of talk about what this all means.

Clip: Medibank is facing a potential fine of $21.5 trillion for allegedly failing to protect the sensitive information of its customers in one of the country's largest ever data breaches.

Certainly, our Privacy Act is out of date and requires updating. And the reason why that's important in the context of a case like this is that the Privacy Act can help to stem the collection of data in the first place, and that it's not enough for us to just go after problems after there's been a data breach like this, we actually have to change the way in which organizations collect and retain data in the first place and that's what reforms to the legislation might give us.

Anthony Woodward: Yeah. Wow. There's a lot to unpack there, Kris. The Carly, as Kris said you know, is the privacy commissioner here in Australia. And what she's talking about there in the clip is about Medibank.

And Medibank is one of our largest, one of the largest, , private health insurers in Australia. So handled quite a large section of the population's medical insurance here in Australia. And on or around the 25th of October, 2022. Medibank alerted the various authorities here in Australia, into a cyber breach, and that cyber breach appears, based on the time and what they have identified, to have affected about 9.7 million customers. So quite a large, section of the country here in Australia. What's interesting and what, what Carly talked about in the clip there was that that has now progressed to not just a formal investigation, but in fact, a civil litigation and civil action and penalties against Medibank. If you had to look at the complete application of the legislation in this area, that actually equates to 21 trillion.

And yes, starting with a T trillion dollars worth of penalties. So, pretty serious. Kris.

Kris Brown: Look and a fun number to ride out with all those zeros, but really, really serious. And certainly you can understand the seriousness when you start to think about what was released, obviously regular customer data, sensitive information, et cetera.

But because they were a private health insurer, lots of sensitive medical information, PII, passports, addresses, the regular sort of things that people are after, but also health diagnoses, surgeries, these sorts of things, and even all the way out to people's HIV diagnoses, for example. Very, very sensitive information, things that most people probably wouldn't want going to the public.

In the end, obviously, there was a request for a ransom, right?

Anthony Woodward: Absolutely, absolutely. And so we should be a little careful in the, you know, the extent of what sensitive information was captured by those in the data breaches. It's still a little unclear. I'm sure the privacy commissioner and others do know, but in the general public, it's not being fully reported the extent of that sensitive information.

We absolutely do know that personal information was released to the dark web as part of that ransom. We do know that there was a class action undergoing that has bought out a number of the elements that Medibank has claimed or made a counterclaim to, but we actually don't know the entirety yet of what level of data was exposed.

Now, what I think is implied, and this is an Anthony opinion just to cover it, it is the kind of data that you just referred to, quite extensive, quite deep, and wasn't just limited to Australian citizens. In fact, it was quite a lot of international citizens who may have also acquired travel insurance or temporary health insurance while being on shore. So whilst primarily an Australian problem, actually has far reaching elements out to a broader market.

Kris Brown: Yeah, back to the action itself. This was genuinely a ransom that was held it was played out in the media throughout October and into November of 2022. In the end, they refused to meet that demand. And I even remember a lot of calls from the public of like, you know, it just, right.

Like, we almost did the thing. We were going to pay the bad actor to make this go away. Not that I thought that that was actually a real thing, but it really did play on the psyche of Australians. And obviously, as you mentioned, other individuals.

Anthony Woodward: Yeah. And I think what, what is really interesting about what Carly had there in the clip, but also seeing from Medibank and the things to consider. It's the background that the privacy commission is putting out there is 'this isn't just about the breach'. So there's a lot of conversation, I know there's been held within the technology community and here in the privacy — our world in privacy and data governance, around things like firewalls, how did the hacker get in?

But that's not really the core focus of the commissioner. It's actually more about, yes, we need those things. Yes, there should be standards there, but the commissioner has really focused on, and I quote on "considering organizations that collect and use and store personal information have a considerable responsibility to ensure that data is held safely and securely, and that this case is all about sensitive data, and that's a quote directly from, from Carly Kind.

Kris Brown: Yeah, look, I think, too, we'll make sure we link to the broader conversation that was had by Carly and the ABC, the Australian Broadcasting Commission, but I want to chuck another quote in there too, right? Like, and it's "organizations can and must take reasonable steps to prevent this from happening." Cool.

Again, we're talking about that cybersecurity element. It looks like, you know, state of the art security measures, but she also made it very, very clear. It looks like good governance and it looks like, you know, organizational responsibility.

And she called out the board. She called out the boardroom in general across Australia and said, "this isn't just, you know, hey, we're a good corporate citizen." This is a legal responsibility and hence why they're bringing that case. And I think, you know, you probably know better than I Anthony as it relates to the case, but this is what they're really talking about in the case for Medibank and potentially even the reason why they're bringing this one first, because it's not the first breach in Australia. There were a number around this time, Optus and others, and Carly even mentions them in the clip.

Anthony Woodward: Yeah, let's break that apart a little bit, right? This is a civil penalties proceeding in the federal court in Australia against Medibank by the privacy commissioner. And what they're alleging was that between March 2021 and October 2022, Medibank interfered, and this is their language, not mine, with the privacy of 9.7 million Australians by not taking reasonable steps to protect personal information from misuse, unauthorized access, or disclosure of data. That is a finding under the Privacy Act of 1988. What's interesting is a couple of things about that, one, mostly people actually say that act is quite weak.

There's a new piece of legislation being written because Australia is a little bit behind the times. But it does show even that act has plenty of scope for this kind of proceedings to be considered by the commissioner and sue that this breach is of a serious enough nature that we progress to this level, there's been, there are other breaches that are relatively well known in the Australian and global market.

What's interesting, I think, is also that there are a number of other cases that the Office of the Australian Information Commissioner, so the Privacy Commission, as was previously known, is looking at. And what I think we want to think about as we think about this case, and I'm sure we'll talk about others in coming weeks podcasts, but this case and the commissioner did say this in some of her interviews has come to the front because there is so much evidence.

So the others are still in an investigation mode. You know, there's potentially a likelihood we don't know, but there is a potentially a likelihood they're hinting at, they also will have civil penalty proceedings, but this case is the first of those to actually come. And what I think is interesting is they are alleging the full impact. So where does that the number come with the trillions and trillions of dollars? Well, that is the maximum penalty, which can be issued for all 9.7 million people that were impacted.

Is that likely? I suspect there'll be a conversation downstream. You know, I don't think the Commissioner is going to look to bankrupt a large insurer in Australia, but the reality is that that is the full set of tools at her disposal within the Federal Court to have that conversation.

Kris Brown: That's a really interesting point, Anthony, because we are currently, like August is the date for it. We just had a podcast where we sort of got off the back with Chris Brinkworth and talking about the upcoming privacy legislation, because the current one's so weak, but here we are talking about a potential 21 trillion dollar fine, and that's the existing legislation.

And certainly Optus and Medibank and a handful of others sort of has led to this. And Carly admits that there's just been this push to update and make this more 21st century, if you will. However, she did call this out and she was very much saying that the goal here isn't to bankrupt businesses, because certainly my worry would be with that sort of fine that why would I communicate the breach?

Like, why would I, if I'm going to go bankrupt anyway, I may as well try and hide it. There's, there's that element of it. And I don't think the corporate responsibility of most of these organizations, we're probably not worried about those things, but she isn't saying 21 trillion is going to be the fine. I think even the words were, "the courts will find what's fair and reasonable in this situation."

I do believe that that's going to be a lot. It's a big deal. 9.7 million people, all of the data that we suppose has been allocated to this. But You spoke there very much about the case itself, and it wasn't so much "oh they got hacked and data went away", it's more about what they did before.

Anthony Woodward: Yeah, absolutely.

It's just one thing on the proceedings. It's not the only proceeding. There actually is also a class action that is also running alongside this. So in terms of the penalties and just to unpack that, the court can impose for each contravention — so 9.7 million — 2.2 million penalty. So that's, that's where the two trillion dollar number comes from.

That is the current situation and on top of that, there could also be civil penalties. So, I take your point that there is an obligation for everybody who does have a data breach, in fact, to report it in Australia, that's legislated in law. And if you found contravening that, then that's even a bigger issue, but there is a number of things Medibank is going to have to purport to about what they did before this occurred against those two different pieces of litigation that are going on.

And if we wind the clock back a little to look at those things, and again, what we know today, and more is going to come out, I think, as these cases go on. Firstly, and the commissioner again has been very clear about this, Medibank just had too much information. They actually didn't have 9.7 million customers.

It's a much smaller set of active customers they actually had, but they had 9.7 million Australians pieces of data. So I think, you know, number one, there's a concern at risk.

Kris Brown: Yeah, correct. And I think Carly made it very, very clear in the ABC interview and I've read and looked at many of the other pieces of press that she's done, and even just things that the OAIC has put out, they're really looking for that egregious, persistent violation of people's privacy. They're really trying to focus on making sure organizations put ample protections in place. Yes, those digital defenses, but also making sure that there's these other processes, good governance, good understanding of what you have, and as you point out, Anthony: If you don't have a reason to keep it, there's no legislative reason that you must keep this information, think of your customer, your resident, your citizen, your supplier first, and do good governance and get rid of these things.

They have admitted, and certainly this is a very pragmatic position to take, that the best digital defenses in the world are still vulnerable to sophisticated attacks.

This is the better mouse trap game, right? On one side, we've got cybersecurity teams trying to stop people from having access to information. And on the other side, we have the bad actors who absolutely want to get their hands on this because of all of the reasons that we've just spoken about now and that there's money to be had. There's huge fines, large penalties, which means that there may be organizations willing to pay those sorts of ransoms in order to get set.

So there's a financial incentive for bad actors to be at play here. And the OAIC is stipulating that they're not trying to bankrupt businesses. They want you to just take this seriously.

And again, this is the old legislation, I didn't do the math, but the new legislation potentially, this could have been an even more silly number in terms of the size.

Now, the good thing is, I think it's related, the new legislation is more related to percentage of revenue, right? That's right.

Anthony Woodward: Well, and we say new, it's not even yet proposed.

So let's just wire the track up a bit, the exposure drafts, and certainly the things people have seen seems to imply it will be similar to a GDPR model. If any on the audience is used to that, but the percentage of revenue style calculations. But we don't know that yet, as far as I'm aware, the draft isn't yet out to look at in great detail.

I think in the case of Medibank, what is key and there are some real, I don't use, again, this is an Anthony opinion rather than a record point opinion, but some pretty rookie mistakes in how they manage and handle data. And that's been relatively well published. The Russian based attackers, and I believe that has been established, and I believe in the case of Medibank, the attackers have actually been identified and a warrant has been issued for them by the Australian federal police. I don't believe at this stage, that has been completely processed. But my understanding is that the Russians have actually been working closely with the Australian federal police and are aware of the ransomware gang. And I believe they're called Reevil or Revil? I don't know if I'm saying that right, I need a Russian accent.

Kris Brown: I've read it. I haven't ever heard anybody say it with any confidence.

Anthony Woodward: So we kind of know what happened in terms of the getting in. And when I say it was a rookie mistake, you know, it appears based on, on the information out there from a bunch of different cyber experts that — and I think this is something for the audience to really contemplate — it was really just using some credentials from a third party provider and being able to get into their systems.

You can spend a lot of money on firewalls and fences and gates to check things, but unfortunately, those things happen.

Now, as technologists, you can implement a multi factor authentication, you can do things, but there are ways around that that still come in the front door. And I think it's, you know, obviously we would recommend best practice and gold standard, but there's still weaknesses in those processes, isn't there?

Kris Brown: Yeah, absolutely. And again, because it was internal credentials that were obviously likely achieved by phishing, the attack meant that it was obviously completed very, very quickly, they were effectively in and out very efficiently, which led to, you know, all of the data, you know.

I even think I read that they caught it in action, like they were watching hundreds of gigabytes of data going out the door, and the staff did actually see it go. But it was just it was so simple to walk in and pick it up that it was almost like they walked into the front door and just picked up a hard drive from the floor and there were several more there, they could have taken them, except a security guard eventually said, "Hey, can I get you to stop? What are you doing?" type of thing.

Anthony Woodward: Yeah, but I think what is then interesting, as you say, is there's two things:

One, having gold level security vote processes, gold level, things like multifactor authentication, very importantly implement.

But the second thing is really about the data itself. So yes, you should protect access. Yes, you should protect the controls, but the real substantive elements that are alleged in the civil proceedings is that there was a massive element of over retention. And over retention to a level of detail, it appears that needs to be considered because although I think businesses are beginning to become aware of, you know— don't hold driver's licenses, don't hold in this case, your health number, your Medicare card, don't hold some of the social security number if you're, if you're in the United States— those are the obvious things.

But in this case, it wasn't just the obvious things. It was Kris Brown's health data. It was Kris Brown's interactions with a healthcare provider. And that's not as easy to mask as those individual driver's licenses and other things.

So it's quite wide ranging.

Kris Brown: I'll repeat the quote from Carly that, you know, it's about good governance and good organizational responsibility in this instance. And certainly, you know, you and I have had a little bit of a chat about this prior, but. it's almost like they were ignoring that, if you will. And I'm using very strong words there in the sense that if you're keeping all of that data and you're not doing anything with it, you know, that this is the type of information you're dealing with.

You've got security in place. Yeah, the IT team did pick up the breach actually, apparently quite quickly, but it's we're just relying on cybersecurity and I'm going to go back to our tagline: it is an intersection of governance, privacy and security. This is what's happening. Those teams need to work together.

There needs to be this understanding of what it is they're protecting, why they're protecting it, and the how is just as important. There are gold standards you can put in play, but it's the age old: if they had good governance in place, what was the minimization of this risk that would have been at play?

Anthony Woodward: Yeah, and I think just for those that don't know some context and background, Medibank as a health insurer was pretty profitable up until this point. You know, they generated revenues somewhere in the order of seven and a bit billion dollars off the top of my head. And I believe the profitability was in the half a billion, so 500, closer to 600 million dollars. So these were definitely tools at their disposal to look after this data more effectively.

Kris Brown: There's no excuses, right? Like that's ultimately what OAIC are alleging is that there's not a lot of excuses. This, you are a business that is profitable, you have a good understanding of the type of data you're pulling in. And what are the things, and this is why the investigation has taken, you know, potentially quite some time, and certainly you they've taken their time to do this. But now that they've brought this to, these proceedings to the courts, it's game on. I'm going to be really, really interested to see how this plays out.

And I think certainly everybody, if you're a board member, if you're an organization that deals with any form of data that relates to customers, You should be incredibly interested in this, because it's not a matter of if, it's a matter of when. And I don't like to sell fear, this is not what I'm doing here, it is a matter, it's a great opportunity right now to go, "what are we doing, not just on the cyber perspective, but what am I doing from a privacy perspective", and "what am I doing from a governance perspective," because it's those three things together that ultimately have led to the failure here, for me, at Medibank, and certainly other reasons why these things are going to be a important moving forward.

Anthony Woodward: Yeah, you know, and again, the commissioner said it well when she talked about "the point of this case is a wake up call." You know, it really is that organizations need to make investments in their digital defenses, but also in the data regimes that whilst we're continuing to see legislative change, and I think this is happening across the globe, I think it is happening across the globe that regulators are being much clearer about the obligation that companies and people have about managing data and understanding data.

We're now really starting to see some teeth in the action of these things. And so whilst those reforms will continue in the legislation, there are things you can do today that will put you in a place where this won't occur. And Kris, what are you seeing now out there as we're talking to folk, uh, and you're talking to folk around what they're doing as a response these considerations?

Kris Brown: Yeah, look, you could go and listen to pretty much every one of these FILED episodes that we've had, especially where we've had some, some of the vendors in play to talk about what they're doing, but let's boil it down to some simple things: regular security assessments, good cybersecurity and digital defenses. And, you know, I'm not going to purport to be a cybersecurity expert, there are lots of people that we've had on who clearly understand this space a lot better than I, but you need to start there. You should, as I said, Carly has said, you must have good digital defenses in this instance, but I'm a big believer that in order to do a good job of that, you need to know what you've got.

You need to know what that data is. You need to know where that data is and you need to know what risk that data carries for you. And so just deeply understanding, having that inventory of your information, having that privacy signaling across that information, understanding where the sources are and how those sources are accessed and used is just incredibly important.

And then, you know, now I set the slide into my governance hat and it's like, you don't need to keep it. There's this opportunity to dispose and remove data. You now know what it is. It's been well classified. You understand your regulatory requirements. You also understand the value and the risk of that information.

You can make really good decisions about what you should and shouldn't be keeping, and that helps all of the other aspects. If you're trying to spend a limited budget on cybersecurity, and ultimately everybody's budget is limited in the case of Medibank, probably a little less limited than others, the goal here is to — at the gold standard — manage the stuff with the highest risk. And you can make good decisions from there about what you don't need to manage as deeply. Obviously, it'd be great if you could secure everything inverted commerce perfectly, but we know the hackers are trying to fix that. So understanding what you've got, disposing and removing of that data that you don't need, getting rid of all of the ROT, removing all of the access that you don't need, these things are huge.

And, and certainly, and I don't think I've done this on one of our podcasts, but it's: partner with a trusted organization who understands that data and compliance like a RecordPoint. This is actually key. This is really driving the market to a place of and for, I would imagine our listeners predominantly in that governance and privacy space, not necessarily as many people sitting in that cybersecurity space, but definitely have an interest in cybersecurity.

This is the piece that these three other parts of the organization need to come together. This is what they are doing. They are protecting the same resource, ultimately your information, your data, the corporate wisdom of the organization. And I just think this case really highlights that those three parts of your business must be communicating and must be working together with high quality digital defenses, high quality processes, high quality governance in order to ensure that you don't end up here.

You'll probably get breached. I don't think we can stop that, Anthony, but I think the issue is you don't want to end up here.

Anthony Woodward: And let's also be really clear: These are high profile cases we're talking about, Medibank, Optus, Target in the US other things that people are aware of we know just from the data from OAIC that just in Australia alone, there were 200 of these cases with large entities like Medibank that haven't struck the headlines and then thousands potentially beyond that, that didn't even get to that level. So, this is occurring all the time. And I think what really struck me you know, as we wind up, this podcast was an anonymous quote from, I believe, and from a source that, that I would trust, um, from a Medibank worker.

And the quote was: "I no longer work there. Obviously, it was a really big attack. There was a lot of laxness as to data." But the thing that struck me was the last point of the sentence, which was, "We didn't know what we had", and that's the starting point, right? You need to know what you have, so then you can start actioning it.

And I think that is consistent to the folk we talk to out there, people don't actually know what they're holding and what their risk is.

Kris Brown: Yeah, it's a tough lesson for Medibank and other organizations. You know, they would be remiss of them not to learn from this. I'll use the words a "monumental series of mistakes," especially off the back of that quote that you've just called out now, Anthony.

I hadn't heard that one, but a massive lesson for all organizations. As you say, these are the visible ones. There are plenty of other cases going on. Certainly, this is a really exciting time from my perspective as a FILED podcaster looking at this and going, "there's going to be lots more to talk about here," but this is a watch this space and certainly hopefully it leads to more organizations talking more and more about this, especially at that board level and and started to gain a requirement to do these things and understand that risk.

Anthony Woodward: Well, I think ultimately, it's the seriousness of the data here that this affects people's lives. This isn't theoretical zeros and one sitting in a database. This is real people who are potentially really struggling. Getting really hit by something they had no control over and ultimately that's what we got to protect for.

That's the point of these fines is the point of this conversation is, "how do we make sure this kind of impact doesn't happen again?"

Kris Brown: No, I agree.

Anthony Woodward: Fantastic conversation again. Like always, we could talk for quite some time, Kris, I think on these things and there's so much more. We'll definitely update you as the case continues and from what we understand, there are further cases to come with Optus. There are other cases in other parts of the globe we're certainly tracking and interested in.

It's been a great catch up on that. And again, as I said, we'll definitely dive more into what are the lessons here and how does it all fit? Thanks for listening.

I'm Anthony Woodward.

Kris Brown: And I'm Kris Brown. And we'll see you next time on FILED.

‍

‍

‍