And yet
The Medicare CEO and Board still have their jobs.
I guess they will scapegoat some middle manager from IT for the mega cockup.
The Australian Federal Police (AFP) has pointed to Russia as the location of the attackers who breached local health insurer Medibank, accessed almost ten million customer records, and in recent days dumped some customer data onto the dark web. The release of customer data – some it containing intimate details of health …
I don't see how they have any customers left, I'd jump ship if I hadn't already several years ago (and still they were holding on to my details to lose for some reason).
I know my partner's looking elsewhere now. Vote with your feet people, that way the CEO & Boards jobs will take care of themselves..
Sure, let's go after the people who robbed the bank. But don't you think that maybe you should have installed a vault rather than a fly screen door? Shouldn't someone be held accountable for that?
I saw something in an earlier press release about how they gained access to a login that allowed them to access all 9 million records. That is a fundamental failure of:
- design
- implementation
- security
- IT governance
- QA
- legislation and/or law enforcement
- shareholder governance
But more than the fact all 9 million records were available to any account, what about field level security?
This is an enormous failure by coders/programmers turning a blind eye to poorly implemented systems and just walking home with the pay check. And all management up from there all the way to the prime ministers desk. We could look at the lack of protection for whistleblowers for a start.
"But more than the fact all 9 million records were available to any account, what about field level security?"
Lazy design - allow everyone to see everything or all sorts of things get complicated to do
Or
Paranoid management PHBs that think that they have to be able to micromanage their staff
It is the Aussies fault that they were complacent about their own security systems. If my house is burgled then, if I have poor locks or no CCTV, it is my fault that I made it easy to break in.
The problem is Aussies still think that they live in isolation like it was before the Internet. They have to realise that the Internet does not respect geographical boundaries.
If course they could adopt the model used by Russia and China where everything is filtered....
Aussie are no different to the average Brit, American or any other first world country..
We allow governments and corporate to continue to accumulate data about us without regard for the consequences. We freely post the minutia of our lives on so called social media, once assembled it so easy, the things one would dumpster dive is now laid out conveniently at our finger tips to search and correlate.
And we howl when this gets abused, yet we do little to change the situation, we line up for our free email account, knowing full well its being mined. We accept governments excuses we need to store and link everything together in one place. We put identifiers on census data so we make sure everyone completes it, for want reason likely nothing more than some mindless compliance.
For years others have been warning of the consequences of these honey pots, and to those would would blame the programmers, network and systems engineers have a look at yourself.. Is everything you have done is perfect. I certainly cant make that claim.
There does need to be consequences for corporate's and government but these consequences need to be painful and serious. Not some dinky fine that is a cost of doing business. Start jailing directors and you will quickly find the C-Suite quickly finding the $$ to properly support the necessary workers and upgrades.
But we also need to accept some responsibility as individuals.. The excuse is its inconvenient, too hard, or too slow I have heard a myriad of excuse to lower barriers. Privacy matters, but over time we have allowed or been lulled into thinking you don't have the right to privacy (or in Aussies case we don't have "rights"). Maybe I should misquote Benjamin Franklin
"Those who would give up Privacy, to purchase a little convenience, deserve neither Privacy nor Safety."
I don't get why people think CCTV stops burglaries. It might deter someone. But round my way the meth-heads couldn't get less. Because even if the cameras are working and record sufficiently good images to identify the burglars then there's no punishment. Only getting caught 1 in 100 times and having no penalty at all is good going.
Yes maybe their security was lax - I don't know, I'm not an expert on such things, but the above comments come over very much like "She was asking for it, wearing such a short skirt.". At least medibank did the right thing by refusing to pay. If more organisations had the sense to do that the problem wouldn't exist.
The victims are the customers, not Medibank. No-one is blaming the customers.
Since this is a state sponsored attack - paying them or not paying them probably doesn't really determine their future behaviour - the state sponsor is satisfied with creating chaos, fear, uncertainty etc.
This is simply a criminal enterprise out to obtain maximum value. They are simply making an example of Medibank's refusal to pay so they can point to the consequences when they strike their next victim.
State sponsored actors tend to be information gathers, I have worked on numerous events, some criminal some state-based and the later is almost always about gathering information and access. State based actors when they strike destroy/disrupt not hold to ransom.
These folks are simply protected as Russia wont dont anything about them, likely due to kickbacks.
-> At least medibank did the right thing by refusing to pay.
And now their patients are going to pay. I take your point about victim blaming, but there is an implicit understanding that if you have my property or data then you will look after it. These organisations collect data so there is an expectation they will protect it.
The gloves should be off. I don't know how this is done but:
1. Many who designed, created and managed this system, screwed up. That needs fixing, obviously at the board level too.
2. Many who purportedly govern, police, and legislate are a bunch of clowns. They need clearing from the board when adequate replacements are found.
3. If this were done in collaboration with a state, that state needs to be dismantled, whatever the cost.
4. The niceties of borders protecting those who do this needs reconsideration.
5. Individuals, who're worthy, need to get educated and get the power to over-ride the idiocy and evil of the above.
Maybe fat chance of a perfect solution, but we should try.
Probably: Moscow (chekists) delenda est.
There is no way that the Australian government can do anything to Russian hackers.
There are no laws or mechanisms in Australia to hold companies to account when they fail to protect our data. The Australian government also has data retention laws that require companies to hold onto all personal data for 7 years.
Unfortunately, there is no political will to fix these underlying issues so the government comes up with some bullshit “taskforce” story knowing that they will never catch the criminals or hold them to account.
It is all a joke and the joke is on the Australian public.