back to article Health insurer Medibank's data breach diagnosis keeps getting worse

Australian health insurer Medibank's data breach was today revealed to be even worse than first thought, with a regulatory filing stating that info describing all four million customers has been accessed. Medibank first admitted to an attack on October 13. At the time it said it had taken down systems that run two sub-brands …

  1. Bubba Von Braun
    FAIL

    Optus you are kidding!!

    Having been exposed by Optus I find their self-serving letter a further insult. Add that to the four times Optus hung up as I tried to determine my exposure to their data mis-management. It took a legal threat to get the information so I can conclude the risk's I am facing from Optus' incompetence rather than trust their self-serving advice.

    And now I am having trouble simply cancelling services. Excuse de-jour is "We are having system problems and can you call back at another time.!!"

    Optus is now "Simply NO!"

    Gladly not a Medibank customer, but do have some exposure to the hell currently occurring, reminds me of a volcano erupting in Hawaii just watching the lava consume everything and everyone involved in it.

    1. ThatOne Silver badge
      Devil

      Re: Optus you are kidding!!

      > has published a letter [...] that essentially absolves itself of blame

      It's the obvious thing to do if can: Why lose your precious, valuable time bothering with those pesky customers? Just tell them to go...

      On the other hand what can you expect from a company which calls itself obtus?

  2. JT_3K

    It's an interesting comment about "does not have Cyber Insurance". Like many of us, having operated in the tech sphere for some time and looking at it, there are usually enough holes in a cyber policy to drive a bus through and they're simply not worth the paper they're written on. Whilst I don't seek to support/endorse or pillory Medibank for their action or inaction (immediate, historic or in response), I do question whether the monies anyone directs at a cyber policy shouldn't be better spent on their aptitude and attitude towards internal protection. My research on a recent offering from a major player shows it:

    • Not covering any taxes, fines or fees incurred as a result of a breach (PCI, ICO, etc);

    • Only covering “legally payable Cyber extortion” (not to countries such with which you shouldn’t trade, from which the attacks often originate);

    • Not covering if you’ve had any understanding of the ingress route, which could be leveraged to suggest as you had DLP tools or similar provided as part of a Microsoft agreement, that you should have had understanding of any route;

    • Wording meaning that proving a Cyber Threat is “credible” is critical to gain action, yet having not acted on it would be negligent should you be attacked;

    • Covering just the first 48hrs of an Emergency Response;

    • Voiding coverage if an incident is internally perpetrated;

    • Not covering any losses of Intellectual Property via Cyber, or financial losses because of losses of IP via Cyber;

    • Contains a clause worded in such a manner that if ingress was via a user clicking a link or having poor password hygiene, it would void the coverage for the incident, and human error causes 95% of cyber breaches;

    • Force-majeure is not covered (as usual) which in turn could feasibly be leveraged to cite that if a company the scale of Microsoft, the majority of a good number of SME IT provision, had issues that contributed, it could be stretched to suggest this nullifies a claim; and

    • Contains a clause which repeatedly cites “Direct result” which has been leveraged by insurers in the past where possible to pay nothing.

    When the annual cost of an SME policy with inherently lower liability could equivalently fund a programme of internal education, a discrete edge mail-filtering service from a major player and a "traditional endpoint AV" type solution and simultaneously has such little likelihood of providing value, I question why many look for one other than ticking a peace-time box with an executive board that hasn't been educated as such?

    1. Anonymous Coward
      Anonymous Coward

      "I question why many look for one other than ticking a peace-time box with an executive board that hasn't been educated as such?"

      I think you've answered your own question there: so much now seems to be simply trying to move blame for anything bad that happens rather than making an attempt to stop it happening in the first place: see this all the time at my current place (1 month to go until retirement now :) - "if we pay x to look after this then it isn't my problem if it goes wrong". I really despair at the current mindset of board level executives who never look past how anything will benefit themselves personally, in the short term.

      1. EnviableOne

        the thing is with the way GDPR is worded, Controller, Processor and Subprocessors are jointly and severally liable, so you might be able to outsource the blame, but the consequences and the costs are yours forever

        1. Anonymous Coward
          Anonymous Coward

          "the way GDPR is worded, Controller, Processor and Subprocessors are jointly and severally liable"

          In theory yes, the reality depends on the local regulator. In the UK the ICO is a waste of space...

          I have the situation where a Data Controller (my GP Practice) is involved in sharing my personal (special category) health data for the past 9 years via a central IT system with, in theory, 600+ other organisations, where they have all allegedly participated as Joint Controllers. A local public agency has allegedly been engaged as a Data Processor by all the organisations (including my GP Practice) to run this system.

          There is a Data Sharing Agreement except (a) no org ever signed *any* version of it before early 2017, and (b) even then only <10 orgs apparently signed it. The DSA was written before GDPR and so doesn't take it into account (no new version agreed/signed since 2017), the DSAs defines all participant orgs as Joint Controllers and the central org as a Data Controller, the DSA does not clearly define lawful purposes, it does not define any lawful bases/conditions, it does not define an accurate list of participant orgs, it does however define that participant orgs are signatories to the DSA.

          There is no evidence of any alternative form of valid agreement between my GP Practice and the other so-called Joint Controllers, and ICO has not asked the Practice to provide such evidence. There is also no evidence of any format of contract/agreement between the so-called Joint Controllers (inc. my Practice) and the central body to act as a Data Processor for them (a breach of GDPR, a contract is required).

          The GP Practice has confirmed to ICO that they never signed the DSA, and that they have no idea at all who any of the other organisations are that may have access to my shared (by them) personal data. ICO has decided to take no action against my GP Practice regarding this...

          ICO are considering whether to take any action against the central org (Data Processor). [Magic 8Ball says: "outcome is not likely"]

          ICO won't take any action against the other 600+ orgs as (a) I have no evidence any of them has actually obtained my personal data (though they do have to the system it is on), and (b) no-one else has complained about this sharing.

          At the start of this year I asked/demanded that the central org delete my data from the system, their reponse was "We're just a Data Processor and can't do that, go ask your Practice, the Data Controller, to delete it". However the Practice indicated to ICO recently that they asked/demanded TWO YEARS AGO that the central org delete my data and the central org replied "No can do" (obviously not their exact wording) - from their wording it is not clear if they (a) refused, or (b) it was "umm....this system was never designed with deletion in mind so we don't have a method to do that", either of which form of response would be a breach of Data Protection law, a Data Processor failing to follow the instructions of the Data Controller/storage limitation principle.

    2. Anonymous Coward
      Anonymous Coward

      Essential 8

      Spending the money implementing the Essential 8 would be a much better use of the cash. All orgs should be able to get to maturity level one on all eight if they put some effort and money in. Then aim to get to maturity level 3.

  3. Winkypop Silver badge
    Trollface

    Don't Panic!

    Executive salary bonuses are unaffected at this time.

  4. Anonymous Coward
    Devil

    They're following my checklist

    PR Checklist

    1 - Nothing to see, move along. (complete)

    2 - A limited breach may have occurred but we have no evidence that any records were extracted. (complete)

    3 - We have fixed the problems and are working with law enforcement to identify the perpetrators. (complete)

    4 - There may have been some records extracted and we are working to determine how many and what sort of records. (complete)

    5 - It's on the dark web. Sorry about that. Our thoughts and prayers go out to you. (in process)

  5. sinsi

    It's worse than that Jim

    I've had nothing to do with Medibank...knowingly. Just received a text from Home Hospital who apparently used a Medibank service, so my data has been leaked. Just goes to reinforce the fact that you never know who has your data.

    Hey HH et al, if you are sending texts warning of a data breach, don't use a nxt.to URL to link to the information page.

  6. david 12 Silver badge

    "cover the cost of replacing ID documents"

    I've been following this and the Australian Optus leak, and I've not seen an explanation of why 'replacing ID documents' would be a good thing.

    The whole point of passports and photo-id driver's licenses in Australia is that the physical item must be presented for ID. The organizations have kept photocopies and passport/license numbers as proof that they've sited the documents, required for regulatory reasons, but those records aren't physical items and can't be used for ID.

    ????

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like