The news just keeps getting worse following the hack of health insurer Medibank last month, with actual sensitive medical data being released yesterday and today, accompanied by threats that it would just get worse and the Australian Federal Police late this afternoon pinpointing Russian agents as the source of the attack.
While AFP commissioner Reece Kershaw did not name the actual criminal group responsible, they are a well known outfit that was very active in ransomware attacks in 2020 and 2021 – including one on UnitingCare Queensland (UCQ) that infested its systems in May 2021 – but had been reasonably quiet this year.
No longer. What originally appeared to be an unauthorised access of Medibank’s database affecting some customers of its AHM brand and international student business quickly extended to its primary customer base, and then millions of former customers.
And now it seems that the crooks have not just accessed data but have stolen it, had a good poke around and have now released at least two dumps of very sensitive data relating to several hundred people who have made claims for abortions and drug and alcohol treatments. Medibank admitted last week that billing codes had been accessed, as well as provider names and locations. It is an absolute mess.
AFP commissioner Kershaw said today that his team knew which individuals were responsible and that they would be holding talks with Russian law enforcement about said individuals. “We believe that those responsible for the breach are in Russia,” he said. “Our intelligence points to a group of loosely affiliated cyber criminals who are likely responsible for passing significant breaches in countries across the world.”
He said the crooks operate like a business and have affiliates in other countries. He also claimed it might be possible to bring them to justice and that the AFP-led Operation Pallidus was working with Commonwealth agencies and Five Eyes law enforcement partners, including the FBI. Operation Guardian, a joint initiative with state and territory police that was set up to protect more than 10,000 customers affected by the Optus data breach, is also being extended to Medibank customers.
“To the criminals, we know who you are, and moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system,” he thundered.
Dunno about that but we suppose these things need to be said to placate the public. Meanwhile, investigations continue into how the hack was possible in the first place. It seems to have come from something as simple as compromised login credentials, as Medibank hinted this week.
We recommend you have a read of this great piece by Australian-based journalist Jeremy Kirk from the Information Security Media Group (ISMG), who explains very clearly just how easy this can be done with few people – including the hackers themselves – realising the import.
What was stolen and has been released does not appear to be actual medical records, but there is enough information it seems to link identifiable people to billing codes and perhaps conditions and treatments. We shudder to think what might come next.
That brings us to our poll question for the week:
Was Medibank correct in its decision not to pay the ransom?
Vote here and leave your comments below.
Last week we asked: Are the new virtual emergency department models worth the investment?
Most thought they were a good idea: 73 per cent said yes, while 27 per cent said no.
We also asked whether you thought they could be considered a bandaid covering systematic problems in the healthcare system. Here’s what you said.
Using the word “dunno” is not really oferring me as a subscriber very much hope in your journalistic integrity.
“Dunno about that but we suppose these things need to be said to placate the public.”
Don’t pay the ransom, but significantly compensate those members who had data compromised.
Last week we asked: Was Medibank correct in its decision not to pay the ransom?
The overwhelming majority agreed: 91 per cent to nine per cent said they were on the money.
We also asked whether you thought ransoms should ever be paid. Here’s what you said.
– These are criminals with no moral code, if they have the data and can make further money from it then they will.
– No, should be illegal.
– If you support paying ransoms – YOU are the problem.
– Yes, kidnaps.
– No. A law should even be passed to make it illegal for an Australian business to pay a ransom. This would make Australia a less desirable target for these criminals.
– No
– It depends
– it encourages this as a business
– It just perpetuates the criminal activity
– Never pay a blackmailer they will just keep doing it. How many people really care about others medical history?
– YES. IN THE EVENT THAT IT PROTECTS THE CONSUMER THE RANSOM SHOULD BE PAID.
– yes
– very subjective
– No. Encourages criminal
– No, can’t ensure that the data is destroyed or reused by the criminals
– Just encourages more attacks
– Yes. Ransom is not the only funding available to the criminals so not paying will not stop future cybercrime. I am sure there are situations where paying the ransom is the best/only option the company has to continue to provide service. However, organisations that pay ransom should then have more stringent mandatory reporting/audit/compliance requirements for a period of time. Use the knowledge gained from this reporting and disclosure to educate other potential victims (i.e. all of us).
– Takes away incentive, no guarantee they will dump what they gained
– Not for cyber attacks, it just encourages the criminals
– No, it just encourages them. We talk about being open and accepting of diversity in our society. Then have a panic attack at the thought of this happening. My friends and family already know about my serious mental health issues. No one else cares.
– Never give in
– Never. Paying ransoms simply sends the wrong message that we’re ‘open for business’ to criminals. Solutions should include : 1. The continuous development of innovative security and privacy technology solutions including sophisticated encryption; 2. Regulations that keep personal record keeping to an absolute minimum including rules to delete all unnecessary data; and 3. Regulations that place complete control of all personal records into the hands of consumers.
– Yes – Medical records should be protected at all cost no matter what! other wise why bother at all What a joke !, Saying not to pay because it might help fund hackers, too late they are doing it already they have funding, its just insurance not wanting to pay – again !. Seems like Company’s interests over people individual rights- So what next Myhealth record ! will be on the internet.
– No, it only encourages more, but Medibank security must have been lacking.
– No. It just encourages the attacks
– No
– Encourages further attacks
– Payments are incentives
– Not now as the business model has changed. Now it is simply bog standard extortion – not simply paying for a key to unlock your encrypted systems.Paying up confirms that change in business model is a legitimate business for criminals. It will only embolden more attacks.
– If you pay the ransom, it will never stop. They will keep hacking and demanding more money. Also, there is no guarantee that the information still won’t be sold or kept if you do pay the ransom.
– No. These are criminal organisations that will reinvest in future attacks. There is appropriately zero chance that the data won’t be reused and/or sold to a third party
– Can’t create a viable business model for hackers.
– Depends on negotiation and case
– No, You don’t know the Hackers aren’t going to use the information or come back at you again. You have no guarantee that they will not use the data even if you pay!
– I won’t say never but paying a ransom only encourages repeats of the behaviour.
– Not for data that has been copied, only if deleted or encrypted and you have been Negligent and have no backups. Paying ransoms encourages criminal activity and cannot guarantee deletion of copies.
– Yes
– No
– No, It legitimises criminal activity. If it became illegal for a compromised business to pay cyber security ransoms in Australia, we would likely get left alone by this abhorrent crime would stop.
– If you pay, you just confirm their business model. If they know no-one will pay their business model collapses.
– Never
– No. No guarantees data won’t be released anyway. Reinforces business model works.
– Yes
– No never pay once pay for ever
– No. It perpetuates the problem
– Never. It encourages more
– Encourages others
– YOU’RE DAMNED IF YOU DO AND DAMNED IF YOU DON’T
– No encouraging crime
– No. These are criminals we are dealing with. The data has been stolen and even paying a ransom won’t guarantee its return if that were at all possible. “No honour among thieves.”
– It encourages them to do it again.
– Just perpetuating the problem
– No, it sets a precedent
– No . It jams open the door – that then cant be closed to invite every cyber criminal to hack in australia
– Depends on impact on viability of business
– They should never be paid. Why not? Because this provides leverage for the perpetrators to start bargaining.
–
Ransoms being paid is highly dangerous. It enables these groups to become more powerful and expand. Eventually, companies will not be able to meet the demands and we need to stop this now. As a MBP customer I am nervous, but I applaud the way MBP have handled the breach being very transparent with their customers and the government.
– It is a slippery slope
– No, There is no honour among thieves
– No, just encourages more hackers.
– Sets a precedence and will encourage more cyber attacks
– No. Setting a precedent will encourage hackers to emulate.
– Every situation is different – difficult question
– No – because paying would encourage further similar criminal activity.
– Maybe in a kidnapping
– Do not ever pay a ransom. To pay will only encourage criminals to continue to attack and exploit companies.
– no
– It will fund more to do same
– It will fund more to do same and other criminal activity to injure others
– Fuels the ransomware industry.
– No as it encourages the growth of this kind of activity
– No, rewards criminal behaviour, and data has still been hacked so hackers can accept ransom and still sell on hacked data
– no, encourages further attacks
– No, it only supports their business model and encourages others. There is no way of verifying the criminals have destroyed copies of the data, and little chance that the data will not be passed on to third parties.
– No. There can be no precedence therefore motivate is moot.
– No, no guaranteed outcome and encourages future attacks
– It will almost certainly lead to a spiral of further intimidation. There is potential to make a cost-risk decision case-by-case (e.g., the risk of the data coming out is $100M, the cost to pay the ransom is $10M; 10:1 is worth it), however, that money may be better spent on patching the original issue, and efforts to mitigate the damage to those affected. Once paid, I’m not sure there’s really anything stopping them from leaking anyway – outside of wanting to do “more business with you” in the future.
– It encourages the Criminals, as it allows them to put in less work to simply get the data at first, then get paid and move on to the next hack. At least if the ransom is not paid, they need to then spend more time releasing the data and pushing the target organisation harder, so this will at least tie up their resources and hopefully slow down their move to subsequent targets.
– No. Doesn’t guarantee a good outcome anyway and funds criminals to develop even better methods for future
– They should never be paid. No matter how small. Once attackers know it is a source of income then they will keep trying. If no one EVER paid a ransom then I think the whole form of attack would have died out by now.
– Do you really expect perpetrators to have scruples?
– Yes, if it would lead to the capture of the person or person(s) responsible for the crime.
– No. Don’t give in to criminals.
– It is all well and good to take the high moral ground of not paying a ransom when your data isn’t being exposed
– No, as it encourages further attacks
– No. It only encourages further extortion as an effective way to make money.
– Paying a ransom proves to the criminal that you will pay, opening up a never-ending stream of requests for money. Extortion never ends.
– no, it will only encourage them to go on forever
– No. Rewards malicious hacking. Becomes self sustaining.