Invasive data hacks: are you ready for them?
Two companies have been squarely in the media spotlight in recent times, and not for the right reasons. When you hear “Medibank” and “Optus”, instead of praise, many now think “data breach”. The reputational damage on a business from a data breach can be detrimental, on top of the very real risk of identity theft and financial loss to employees and consumers.
We have recently reviewed the recent Optus data breach incident, and whilst both incidents are far from over, this article provides some further insight and updates regarding the Medibank data breach incident.
What happened to Medibank?
A quick timeline of key dates:
- 13 October 2022: Medibank announced a suspected data breach incident and stated at the time that there was no evidence that sensitive data, including customer data, had been accessed.
- 17 October 2022: Update, stating that there remains no evidence that customer data had been removed from the Medibank network.
- 19 October 2022: Medibank confirmed it had been contacted by a group (cyber criminals) to negotiate. A sample of compromised customer data was presented. A ransom demand was referenced. Medibank placed a trading halt on its shares.
- 25 October 2022: Medibank received a further sample of compromised customer data, and stated that it expected the number of affected customers to grow.
- 7 November 2022: It emerged that the data of some 9.7M customers across the Medibank divisions had been compromised.
- 9 November 2022: Customer data files began to be released on the dark web, continuing on a ‘drip feed’ for some weeks. Some data released designated customers according to a “naughty” or “good” list. Some data designated customers who had received mental health treatments as “psycho”. Some detail about sexual health and medical treatments was also released.
- 1 December 2022: All compromised customer data files were released on the dark web, with the cyber criminals suggesting “case closed” as they move on to the next target.
What’s coming next?
From the ‘legal perspective, a formal representative complaint has been made to the Australian Federal Privacy Regulator, the Office of the Australian Information Commissioner (OAIC). The OAIC has been asked to investigate the data breach incident, with a view to ordering penalties and compensation for affected customers. In addition, from the consumer side of things, class action relief is also being pursued.
What are the impacts?
From a ‘cost’ perspective, this has had, and will continue to have, for Medibank enormous impact. For business there is reputational damage, negative publicity, trading halts, mandated ASX disclosures, etc.
In terms of the emotional impact, there is loss of customer trust, customer distress, anxiety and loss of safety – with some customers even suffering or apprehending physical danger.
And finally, there is the financial cost. Medibank has already reportedly spent (on some estimates) some $25 million – $30 million on remediation action in response to the data breach incident. More is yet to come. On top of this, Medibank is also facing potential fines and pecuniary penalties, compensation orders and ‘class actions’, with some suggesting these could range into the “hundreds of millions” of dollars.
The cost equation will be exceptionally interesting to watch, as privacy penalties in Australia have historically not amounted to anywhere near these amounts.
The Australian Government has also recently passed Privacy amendment legislation, which significantly jumps the penalties up from $2.2 million, to the greater of $50 million, 3 times the benefit attributable to the breach/misuse of personal information, or 30% of turnover during the breach period.
Ransoms: To pay or not to pay? That is the question….
In line with the Australian Government’s positioning, Medibank apparently refused to pay the cyber criminals’ ransom demand (which has been estimated by some at $15 million). Some may consider Medibank should have paid the ransom in order to reduce the consequential impacts on customers, whilst others will hold the view that businesses “should not negotiate with terrorists”.
The jury is still out on whether paying a ransom is desirable or effective. A recent survey has suggested that, where 46% of organisations acceded to the ransom demand, only 4% got their data back in a useful, complete and unencrypted manner.
How does this impact your business?
Whilst businesses can try their best to implement systems to prevent data hacks or minimise the impact, you cannot stop them occurring. Cyber criminals are becoming increasingly smarter, which is providing them with more opportunities to access and exploit personal information. Whilst all types of personal data can be valuable, key risks relate to identity theft and financial loss.
How can you better prepare for a data breach incident?
Businesses that have an annual turnover of $3 million or above, are required to comply with Australian privacy laws and should have in place a fulsome privacy and data protection compliance program.
A privacy compliance program involves quite a few components, with one being that the business needs to have a clearly expressed and up-to-date privacy policy describing what personal information is collected, how it is managed, stored and secured.
A full privacy compliance program for business should include the following elements:
- an audit of existing privacy practices to identify gaps in compliance – including physical, personnel and IT security;
- a privacy policy;
- implementation of data collection forms and consent forms;
- implementation of complaints handling procedures;
- implementation of access and correction request procedures;
- implementation of a data breach response plan;
- staff training sessions; and
- ongoing and periodic audits to ensure compliance.
Key takeaways
- Experiencing a data breach incident is a matter of “when”, not “if”. You need to be suitably prepared for when they occur.
- You need to turn a priority focus to privacy and implement – or strengthen – your privacy and data protection compliance program and business procedures.
- The costs of a data breach can be sky-high – financially, emotionally and reputationally.
For further information or a review of your compliance with Australian privacy legislation, please contact Macpherson Kelley’s privacy experts.
The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.
more
insights
stay up to date with our news & insights
Invasive data hacks: are you ready for them?
Two companies have been squarely in the media spotlight in recent times, and not for the right reasons. When you hear “Medibank” and “Optus”, instead of praise, many now think “data breach”. The reputational damage on a business from a data breach can be detrimental, on top of the very real risk of identity theft and financial loss to employees and consumers.
We have recently reviewed the recent Optus data breach incident, and whilst both incidents are far from over, this article provides some further insight and updates regarding the Medibank data breach incident.
What happened to Medibank?
A quick timeline of key dates:
- 13 October 2022: Medibank announced a suspected data breach incident and stated at the time that there was no evidence that sensitive data, including customer data, had been accessed.
- 17 October 2022: Update, stating that there remains no evidence that customer data had been removed from the Medibank network.
- 19 October 2022: Medibank confirmed it had been contacted by a group (cyber criminals) to negotiate. A sample of compromised customer data was presented. A ransom demand was referenced. Medibank placed a trading halt on its shares.
- 25 October 2022: Medibank received a further sample of compromised customer data, and stated that it expected the number of affected customers to grow.
- 7 November 2022: It emerged that the data of some 9.7M customers across the Medibank divisions had been compromised.
- 9 November 2022: Customer data files began to be released on the dark web, continuing on a ‘drip feed’ for some weeks. Some data released designated customers according to a “naughty” or “good” list. Some data designated customers who had received mental health treatments as “psycho”. Some detail about sexual health and medical treatments was also released.
- 1 December 2022: All compromised customer data files were released on the dark web, with the cyber criminals suggesting “case closed” as they move on to the next target.
What’s coming next?
From the ‘legal perspective, a formal representative complaint has been made to the Australian Federal Privacy Regulator, the Office of the Australian Information Commissioner (OAIC). The OAIC has been asked to investigate the data breach incident, with a view to ordering penalties and compensation for affected customers. In addition, from the consumer side of things, class action relief is also being pursued.
What are the impacts?
From a ‘cost’ perspective, this has had, and will continue to have, for Medibank enormous impact. For business there is reputational damage, negative publicity, trading halts, mandated ASX disclosures, etc.
In terms of the emotional impact, there is loss of customer trust, customer distress, anxiety and loss of safety – with some customers even suffering or apprehending physical danger.
And finally, there is the financial cost. Medibank has already reportedly spent (on some estimates) some $25 million – $30 million on remediation action in response to the data breach incident. More is yet to come. On top of this, Medibank is also facing potential fines and pecuniary penalties, compensation orders and ‘class actions’, with some suggesting these could range into the “hundreds of millions” of dollars.
The cost equation will be exceptionally interesting to watch, as privacy penalties in Australia have historically not amounted to anywhere near these amounts.
The Australian Government has also recently passed Privacy amendment legislation, which significantly jumps the penalties up from $2.2 million, to the greater of $50 million, 3 times the benefit attributable to the breach/misuse of personal information, or 30% of turnover during the breach period.
Ransoms: To pay or not to pay? That is the question….
In line with the Australian Government’s positioning, Medibank apparently refused to pay the cyber criminals’ ransom demand (which has been estimated by some at $15 million). Some may consider Medibank should have paid the ransom in order to reduce the consequential impacts on customers, whilst others will hold the view that businesses “should not negotiate with terrorists”.
The jury is still out on whether paying a ransom is desirable or effective. A recent survey has suggested that, where 46% of organisations acceded to the ransom demand, only 4% got their data back in a useful, complete and unencrypted manner.
How does this impact your business?
Whilst businesses can try their best to implement systems to prevent data hacks or minimise the impact, you cannot stop them occurring. Cyber criminals are becoming increasingly smarter, which is providing them with more opportunities to access and exploit personal information. Whilst all types of personal data can be valuable, key risks relate to identity theft and financial loss.
How can you better prepare for a data breach incident?
Businesses that have an annual turnover of $3 million or above, are required to comply with Australian privacy laws and should have in place a fulsome privacy and data protection compliance program.
A privacy compliance program involves quite a few components, with one being that the business needs to have a clearly expressed and up-to-date privacy policy describing what personal information is collected, how it is managed, stored and secured.
A full privacy compliance program for business should include the following elements:
- an audit of existing privacy practices to identify gaps in compliance – including physical, personnel and IT security;
- a privacy policy;
- implementation of data collection forms and consent forms;
- implementation of complaints handling procedures;
- implementation of access and correction request procedures;
- implementation of a data breach response plan;
- staff training sessions; and
- ongoing and periodic audits to ensure compliance.
Key takeaways
- Experiencing a data breach incident is a matter of “when”, not “if”. You need to be suitably prepared for when they occur.
- You need to turn a priority focus to privacy and implement – or strengthen – your privacy and data protection compliance program and business procedures.
- The costs of a data breach can be sky-high – financially, emotionally and reputationally.
For further information or a review of your compliance with Australian privacy legislation, please contact Macpherson Kelley’s privacy experts.