Medibank data breach

… also allows them to invest in their business in order to conduct an even bigger and better hack next time.

This has been discussed in this forum before but my tentative position is that a company paying a ransom should be illegal except in cases of data loss. That would actually protect the company from a small portion of the reputational damage because they can hide behind the (true) claim that they are not legally allowed to pay the ransom. It also somewhat discourages a ransom organisation from bothering to target the company in the first place since they know it is unlikely that the ransom will get paid.

This is in stark contrast to the current government’s lame proposal to increase the fines, which actually makes it more likely that ransoms will get paid (although there is certainly room for argument about the consequences, intended or otherwise).

1 Like

There are some arguments against this, but Uber’s Chief Information Security Officer is facing jail time for paying off hackers. (Largely because he tried to cover it up, but it is still a juicy precedent.)

The trouble with just criminalising ransom payments is that it may create perverse incentives, for instance to try what the Uber guy did instead of telling your customers that you messed up.


Totally. As I said, a tentative position, trying to make the best of a bad situation. However this is better than the perverse incentive of a $50m fine (which simply creates space for the hacker to increase the ransom demand, and really just forces the company to choose who is going to thieve from it, government or hacker).

I think we need to take money out of the equation, as far as is possible, so that there are no incentives to keep it quiet but a strong disincentive to pay a ransom - and also less incentive for a ransom demand to be made in the first place.

I don’t know how Uber managed to hide a $100k payment in the accounts but obviously any ransom payment that is illegal needs to be hidden, which may then require a wider “conspiracy” within the company and make getting caught more likely. (In most organisations every employee will have an authorised spending limit without higher approval, which may be $0 for a great many employees, but once you get to the C-suite, the limits may be high.)

Medibank specifically, as a listed company, would not want to go down that road. It would likely make a bad problem worse, as it did ultimately for Uber.

1 Like

Another email from Medibank yesterday includes this disclosure:

Which of your data has been stolen

Based on our investigation, we can confirm the following data relating to your membership has been stolen:
• first name and surname
• gender
• date of birth
• email (where you have provided it to us)
• address
• phone number (where you have provided it to us)
• policy number
• Live Better activities & rewards data (where this applies to you)

We believe the criminal has not stolen:

|•|Credit card and banking details
|•|Your health claims data|
|•|Primary identity documents, such as a driver’s licence. Medibank does not collect primary identity documents for Australian resident customers except in exceptional circumstances|
|•|Health claims data for extras services (such as dental, physio, optical and psychology).

Since I didn’t make any health claims for my ambulance cover, from maybe 4 or 5 years ago when I had it, they have even less than taken with the Optus hack, as no credit card/bank account info was apparently taken.

The credit union I bank with were on the ball though, weeks ago they gave me a new account number, as they picked up that I previously had an automatic debit to Medibank. Not required given the above info from Medibank, but good to see they were proactive nevertheless.


Which reveals a fundamental problem with data retention after a customer ceases to be a customer. Take note, Government.

I have never received any communication from Medibank, despite being a former customer who is definitely still in their system - because they have no way of contacting me. Snail address definitely changed since I ceased to be a customer, ditto phone number, email address unsure.

However I have contacted them (in this scenario) in order to establish what my exposure is. Final answer: No exposure (but that is by accident rather than by design).

A less motivated former customer may never realise that there is even a problem …


Any customer data that is out there should be made useless by making any information that the Fr#$acker$ stole worthless (Especially Primary identification documents) .

There should be a government legislation in place to make companies that have their customer data breached to pay for :

  1. Replacement of any primary identification documents.
  2. Any Credit reporting/identification protection service for a minimum of 5 years or more.

Credit reporting Agencies (Eg: Equifax) should have a credit block in place for any unauthorized access to the affected individuals credit file and not the standard 21 day block. This should be a simple toggle to turn the block on or off from the credit reporting agencies service portal or mobile app.

As for the governments offensive response to dealing with hackers directly. Send bounty hunters across the border to do (Use your imagination) . As hackers don’t give a sh#$%$ with remote cyber hacking them. Other country government agencies are probably doing the same thing and hackers are not intimidated enough, but when there are no borders, it makes it interesting. :slight_smile: :wink:


Insult to injury, customers weigh in on Medibank’s data breach response:


If I remember correctly that was a command for the Apple II - a more complex version of PR#6.

Sorry, it’s just too long ago - I’ve forgotten that one.

Yup. A mix of Apple II & a touch of BattleStar Galactica. :smiley:

Another good update site to follow if you’re involved as a customer is ID Care - MEDIBANK & AHM BREACH RESPONSE Help and advice for current and former Medibank and ahm customers. - Medibank . This site provides info on all affected data fields, risks associated with them, what to do to protect yourself.

“IDCARE as Australia’s national identity and cyber support community service has been engaged by Medibank to assist community members who have concerns about the exposure of their personal information.”

If you ever get hacked, scammed or whatever and don’t know what to do, call them on 1800 595 160 for help. This summarises their services, which I understand to be free Individual Support Services | IDCARE .

1 Like

OK, fun question: As a result of Australia’s dubious tax system, a health insurer may know what family income tier a customer is in. Was this data copied?

If I were a criminal organisation and looking to exploit this data for identity theft purposes, I think it would be fantastic to be able to sort by family income descending, and target more lucrative customers first.

Personally I choose not to report my income to my health insurer, as it is too variable, and just sit in the bottom tier and if I am not in the bottom tier one year then I will sort it out with the ATO when my tax is assessed. I have no idea whether that is what most people do (hopefully!).

Much talk of large volumes of data being transferred for backup etc.

The reality is that such data is transferred over a SAN, not over the internet, which is far too slow.

SANs (Storage Area Networks) operate between storage sub-systems at the host and backup sites, with transfers over dedicated fibre, and none of the internet overhead. They allow a site to operate with (near) zero data loss. Medibank would not require automatic fail-over to the backup site, but it would likely need (and ought to have) zero data loss processes, with a recovery time objective of a few hours.

Internet traffic is entirely separate. If Medibank had 2FA for all privileged users, this hack would not have succeeded.

You can bet London to a brick that the none of the Medibank executives had data security as a KPI, and they probably had not bothered to perform any security hardening in some time - especially a vulnerability assessment. Why would they bother if they weren’t measured on it? You could not have sold such services to Medibank Private if no-one was on the hook for having a high level of security.

It is far more effective to prevent the loss rather than detect it in real time, which at best only allows the loss to be reduced.

Australia’s lax laws allow our corporate cowboy culture to gouge data; hold it for much longer than warranted; and fail to take simple steps to protect it.

The language they use in their advice to “customers impacted by this data theft” is all about avoiding responsibility for the manner in which they left the door wide open. They may as well have hung a sign out the front: “No security cameras in this store. The doors are unlocked and the store is unattended. Please don’t steal from us.”



I can’t speak for Medibank but where I work, I doubt that any execs have security as a KPI but we get annual external pen testing, external IT security audit, …

KPI or not, it’s just best practice for IT.

It’s as much the other way round though. Australia’s sh***y laws force companies to hold data longer than the company needs it. This is specifically the case for Medibank where *****y state laws require data to be retained for (e.g. NSW), worst case, 25 years.


The latest (inevitable) development: Three class action firms join forces to litigate Medibank breach - ABC News

Personally, I don’t approve of this. I think it is the wrong direction to be going in. I wouldn’t object if the government legislated to prevent this. It will however be interesting to see, if Medibank loses, how damages are assessed, and what damages amount to (i.e. how many $$ the average customer gets).

In the interests of disclosure: Not a Medibank customer, not affected by this data breach, not a Medibank shareholder - so, as far as I can tell, I don’t have a financial interest in the outcome of this litigation.

Unfortunately with most of these class actions, there is only one winner and won’t be the consumer affected by the breach.

I would rather see any monies spent to prevent any further breach. Any payout is likely to come from business operations. Less money for operations means potentially less money to be spent on IT/security. It is counterintuitive.


That is certainly one of my concerns. Medibank could spend millions of dollars defending this litigation, when such money could be better deployed on improving their data security, rather than lining some fatcat lawyer’s pockets.

I have seen it suggested that, because this action is going through the OAIC, it will not drag on for years, as it would if it went through the Supreme Court, but it must surely still be a C-suite-level distraction for the company.

1 Like

As I posted in the Optus data breach topic, the likely outcome.

A free subscription / a free service doesn’t get the lawyers their pay day though. The law firm will want a $ pay out so that they can collect their percentage.

Quite often the class action lawyers still get paid as there are usually secondary financial backers of the action. This well known class action lawyers website explains it well:

External funders often help resource shareholder class actions. First, potential financiers carry out a risk assessment on a potential class action. If they’re convinced that the lawsuit’s prospects are good, they enter into an agreement with the law firm to pay some or all of the legal fees. And if the class action settles successfully, these funders receive a commission.