back to article Australia blames Russia for harboring health insurance hackers

The Australian Federal Police (AFP) has pointed to Russia as the location of the attackers who breached local health insurer Medibank, accessed almost ten million customer records, and in recent days dumped some customer data onto the dark web. The release of customer data – some it containing intimate details of health …

  1. Winkypop Silver badge

    And yet

    The Medicare CEO and Board still have their jobs.

    I guess they will scapegoat some middle manager from IT for the mega cockup.

    1. ChoHag Silver badge

      Re: And yet

      Didn't you see? They're blaming Russia. Because as we all know when you're caught with your pants down, it's the intruder's fault.

      1. John Brown (no body) Silver badge

        Re: And yet

        "blaming Russia."

        Clearly it must have been "rouge engineers" :-)

        Yeah, the rouge one, thanks ------------->

    2. Mayday Silver badge

      Re: And yet

      It wasn’t Medicare. It was Medibank.

      Medicare is the public (government) health scheme and Medibank is a health insurance provider.

      1. Winkypop Silver badge

        Re: And yet


        My apols.

    3. Sampler

      Re: And yet

      I don't see how they have any customers left, I'd jump ship if I hadn't already several years ago (and still they were holding on to my details to lose for some reason).

      I know my partner's looking elsewhere now. Vote with your feet people, that way the CEO & Boards jobs will take care of themselves..

  2. aaaa

    Details details details

    Sure, let's go after the people who robbed the bank. But don't you think that maybe you should have installed a vault rather than a fly screen door? Shouldn't someone be held accountable for that?

    I saw something in an earlier press release about how they gained access to a login that allowed them to access all 9 million records. That is a fundamental failure of:

    - design

    - implementation

    - security

    - IT governance

    - QA

    - legislation and/or law enforcement

    - shareholder governance

    But more than the fact all 9 million records were available to any account, what about field level security?

    This is an enormous failure by coders/programmers turning a blind eye to poorly implemented systems and just walking home with the pay check. And all management up from there all the way to the prime ministers desk. We could look at the lack of protection for whistleblowers for a start.

    1. David Pearce

      Re: Details details details

      "But more than the fact all 9 million records were available to any account, what about field level security?"

      Lazy design - allow everyone to see everything or all sorts of things get complicated to do


      Paranoid management PHBs that think that they have to be able to micromanage their staff

  3. steamnut


    It is the Aussies fault that they were complacent about their own security systems. If my house is burgled then, if I have poor locks or no CCTV, it is my fault that I made it easy to break in.

    The problem is Aussies still think that they live in isolation like it was before the Internet. They have to realise that the Internet does not respect geographical boundaries.

    If course they could adopt the model used by Russia and China where everything is filtered....

    1. Bubba Von Braun

      Aussie are no different to the average Brit, American or any other first world country..

      We allow governments and corporate to continue to accumulate data about us without regard for the consequences. We freely post the minutia of our lives on so called social media, once assembled it so easy, the things one would dumpster dive is now laid out conveniently at our finger tips to search and correlate.

      And we howl when this gets abused, yet we do little to change the situation, we line up for our free email account, knowing full well its being mined. We accept governments excuses we need to store and link everything together in one place. We put identifiers on census data so we make sure everyone completes it, for want reason likely nothing more than some mindless compliance.

      For years others have been warning of the consequences of these honey pots, and to those would would blame the programmers, network and systems engineers have a look at yourself.. Is everything you have done is perfect. I certainly cant make that claim.

      There does need to be consequences for corporate's and government but these consequences need to be painful and serious. Not some dinky fine that is a cost of doing business. Start jailing directors and you will quickly find the C-Suite quickly finding the $$ to properly support the necessary workers and upgrades.

      But we also need to accept some responsibility as individuals.. The excuse is its inconvenient, too hard, or too slow I have heard a myriad of excuse to lower barriers. Privacy matters, but over time we have allowed or been lulled into thinking you don't have the right to privacy (or in Aussies case we don't have "rights"). Maybe I should misquote Benjamin Franklin

      "Those who would give up Privacy, to purchase a little convenience, deserve neither Privacy nor Safety."

    2. Phil Kingston

      Re: Deflection

      I don't get why people think CCTV stops burglaries. It might deter someone. But round my way the meth-heads couldn't get less. Because even if the cameras are working and record sufficiently good images to identify the burglars then there's no punishment. Only getting caught 1 in 100 times and having no penalty at all is good going.

  4. Will Godfrey Silver badge

    Victim Blaming?

    Yes maybe their security was lax - I don't know, I'm not an expert on such things, but the above comments come over very much like "She was asking for it, wearing such a short skirt.". At least medibank did the right thing by refusing to pay. If more organisations had the sense to do that the problem wouldn't exist.

    1. aaaa

      Re: Victim Blaming?

      The victims are the customers, not Medibank. No-one is blaming the customers.

      Since this is a state sponsored attack - paying them or not paying them probably doesn't really determine their future behaviour - the state sponsor is satisfied with creating chaos, fear, uncertainty etc.

      1. Bubba Von Braun

        Re: Victim Blaming?

        This is simply a criminal enterprise out to obtain maximum value. They are simply making an example of Medibank's refusal to pay so they can point to the consequences when they strike their next victim.

        State sponsored actors tend to be information gathers, I have worked on numerous events, some criminal some state-based and the later is almost always about gathering information and access. State based actors when they strike destroy/disrupt not hold to ransom.

        These folks are simply protected as Russia wont dont anything about them, likely due to kickbacks.

      2. Phil Kingston

        Re: Victim Blaming?

        Are they saying it's state-sponsored now?

    2. Version 1.0 Silver badge

      Re: Victim Blaming?

      Originally, until a year ago, I only saw a security attack on the corporate mail server every month or so, nowadays it's hourly all day long.

    3. VoiceOfTruth Silver badge

      Re: Victim Blaming?

      -> At least medibank did the right thing by refusing to pay.

      And now their patients are going to pay. I take your point about victim blaming, but there is an implicit understanding that if you have my property or data then you will look after it. These organisations collect data so there is an expectation they will protect it.

      1. Cincinnataroo

        Re: Victim Blaming?

        Lets not be too silly here. If Medibank pays then the members pay too. They don't have a magic money tree reserved for paying these criminals.

    4. david 12 Silver badge

      Re: Victim Blaming?

      Where I live, it is against the law to leave your keys in your unintended motor vehicle. If that comes across as 'victim blaming', then perhaps

      more 'victim blaming' would be good thing.

  5. Cincinnataroo

    Lets try to fix it

    The gloves should be off. I don't know how this is done but:

    1. Many who designed, created and managed this system, screwed up. That needs fixing, obviously at the board level too.

    2. Many who purportedly govern, police, and legislate are a bunch of clowns. They need clearing from the board when adequate replacements are found.

    3. If this were done in collaboration with a state, that state needs to be dismantled, whatever the cost.

    4. The niceties of borders protecting those who do this needs reconsideration.

    5. Individuals, who're worthy, need to get educated and get the power to over-ride the idiocy and evil of the above.

    Maybe fat chance of a perfect solution, but we should try.

    Probably: Moscow (chekists) delenda est.

  6. Anonymous Coward
    Anonymous Coward

    Just a smokescreen to obscure the real issues

    There is no way that the Australian government can do anything to Russian hackers.

    There are no laws or mechanisms in Australia to hold companies to account when they fail to protect our data. The Australian government also has data retention laws that require companies to hold onto all personal data for 7 years.

    Unfortunately, there is no political will to fix these underlying issues so the government comes up with some bullshit “taskforce” story knowing that they will never catch the criminals or hold them to account.

    It is all a joke and the joke is on the Australian public.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like