That only works for current customers. So it needs to be paired with legislation that makes Data Retention illegal (except where, regrettably, legislation explicitly requires Data Retention - and except in certain legitimate scenarios e.g. you leave under a cloud with a dispute pending).
For sure. That is one of the hardest situations.
Perhaps those level users should be required to use 2FA though. I haven’t specifically seen an article saying that that is what happened (but I think you are right). Do you have a link?
Also, if the application architecture allows it then separating out the administrative roles for the different tiers may help. For example, the DataBase Administrator has full, unrestricted read-write access to the database - but if encrypted fields are used for sensitive data then accessing the corresponding plaintext field values may not be possible to the DBA and instead only the application tier administrator has the decryption key (but, conversely, the application tier administrator does not have unrestricted access to the database).
Very high security environments even require administrators to log in in pairs i.e. the system prompts for two passwords in succession, one admin knows the first password, another admin knows the second password, neither admin knows both passwords.
High security / high sensitivity environments will at least audit all read access (at least at an application level). How many zillion records per day would that generate for Medibank? Best not to ask.
I think the biggest issue was that originally Medibank made a statement that seemed to indicate there was no customer data lost, then it became a small group of AHM and international students, then a larger group and now the full membership database. Perhaps a better original statement would have been to warn all customers that total loss was possible and details would be updated as further knowledge was obtained.
What audit procedures/processes do they have in place? It seems they are relying on what the hacker releases to them, that then apprises them of the extent of the damage, rather than having robust audits to discover the damage for themselves.
I wouldn’t have gone that far. I would just indicate that investigation to establish the scope of the breach is ongoing.
I mean it’s not incorrect to claim that the possible scope of the breach is “total” at the point in time when you don’t know but it may be unnecessarily alarming when the reality may differ wildly from that.
OK, so that’s even worse. Copying away data for e.g. identity theft purposes (or even blackmail purposes in the case of health data) is one thing. However full admin rights can mean that data has been altered (or deleted), and not just data but also code and configuration etc.
There’s really only one option. Take the system offline, blow the system away and restore from last known good backup.
Well as a Systems Programmer for many years for large companies, I can tell you that the big banks and gov services are handling easily 10,000 online and batch transactions per second.
Try auditing that.
Medibank said it was required by law to hold onto past customers’ data
Laws, such as […], require the company to keep the health information of adults for at least seven years and for individuals younger than 18 until that individual is at least 25 years old.
Those in the community most connected to this topic discussion are not typical of the greater consumer-verse, IMO. We’re a select subset.
How likely is the average consumer to have a reliable, comprehensive and accessible personal information retention system or strategy.
For those who choose to be forgotten one answer.
Likely many different answers depending on who one asks for the remainder.
Common sense might be that if I don’t like the dentist I’m using I should be able to go elsewhere. Having recently had my teeth imaged yet again, it would be pleasing not to have to do it too soon. I’d suggest we have a right to acquire and retain all our personal records, accepting 99% are now digital. What system should that be?
I’m suggesting there is more than one purpose in retaining data, and that it can serve more than one purpose, beneficial to the consumer as well as to others. A concern for how the others might seek to benefit is not on it’s own sufficient reason to take the benefit away from all. IE If one argues to eliminate data retention, it needs a argument in support of a practical alternative.
Unclear what specifically that is in relation to. If it’s “(Don’t answer that.)”, you can ignore that cynical comment from me.
That would be a fair comment if the legislation required Medibank to do Data Retention when the customer closes the policy and is asked whether the data should be retained beyond the policy. The mentioned legislation is making it mandatory whether or not the customer wants it / asks for it / declines it.
And for kids, who by definition can’t consent to this, they are being Data Retained for up to 25 years? Does that not strike you as a little excessive? And why so much more for kids than adults?
If you choose it … a possible answer would be MyHealthRecord.
We can more or less agree on that, provided that it is a right (not an obligation) and provided that it is controlled by us (while not necessarily being stored by us).
The bottom line though is that I am now potentially in both the Medibank breach (thanks, government) and the Optus breach (thanks, government). :frowning_face: I need to look up exactly when I left Medibank. And yeah I know I'm not the only one in Australia who is in both breaches.
PS Another part of the answer is “offline data storage”. With all this Data Retention going on, if it gets archived to removeable media and wiped from the online system then it is in most (but not all) cases protected against administrator account compromise.
The government won’t like that though because it means that when they come calling for retained data, it will take more time to get the data.
If some clueless Government legislation came about, federal or state, that required retention of data for non-business needs (ie law enforcement snooping), the business could offload that onto tape, put it into a truck, and send it to the relevent department for their storage.
In most cases where I have been the sysadmin (financial management systems), I have not had access to the system’s data. In one case, I took over sysadmin and was still given access to the data; I immediately notified my manager that I needed to remove this access, and did so.
Yes, I had the access to give myself access, but if you are the sysadmin/DBA at however amateur a level (and I certainly did not receive the training necessary to be top-flight in these roles) the only data you should ever be able to see is test data. Of course, as I write this I realise that many companies including Optus think live data should be put into the test environment or you cannot do proper testing - and so in a secure environment you should not give sysadmins access to the test environment.
The downside of that approach is that you then give up any pretence whatsoever that there is anyone outside of the government (e.g. a court) verifying in any way that restrictions on access to retained data that are laid down in law are being followed. You are essentially consenting to unfettered, permanent, mass surveillance.
Part of the blackmail of a business. Business doesn’t pay, then trickle release data…hoping that there is a backlash from those impacted by the data release (either reputational damage or customer loss). They then hope this pushes a business over the line to pay up.
Not paying up is the right option as no-one can ever guarantee a criminal will be trustworthy and keep to their word. They are likely to sell the data irrespective of whether a ransom is paid. Paying a ransom only gives them an additional ‘income’ source.
… also allows them to invest in their business in order to conduct an even bigger and better hack next time.
This has been discussed in this forum before but my tentative position is that a company paying a ransom should be illegal except in cases of data loss. That would actually protect the company from a small portion of the reputational damage because they can hide behind the (true) claim that they are not legally allowed to pay the ransom. It also somewhat discourages a ransom organisation from bothering to target the company in the first place since they know it is unlikely that the ransom will get paid.
This is in stark contrast to the current government’s lame proposal to increase the fines, which actually makes it more likely that ransoms will get paid (although there is certainly room for argument about the consequences, intended or otherwise).
There are some arguments against this, but Uber’s Chief Information Security Officer is facing jail time for paying off hackers. (Largely because he tried to cover it up, but it is still a juicy precedent.)
The trouble with just criminalising ransom payments is that it may create perverse incentives, for instance to try what the Uber guy did instead of telling your customers that you messed up.
Totally. As I said, a tentative position, trying to make the best of a bad situation. However this is better than the perverse incentive of a $50m fine (which simply creates space for the hacker to increase the ransom demand, and really just forces the company to choose who is going to thieve from it, government or hacker).
I think we need to take money out of the equation, as far as is possible, so that there are no incentives to keep it quiet but a strong disincentive to pay a ransom - and also less incentive for a ransom demand to be made in the first place.
I don’t know how Uber managed to hide a $100k payment in the accounts but obviously any ransom payment that is illegal needs to be hidden, which may then require a wider “conspiracy” within the company and make getting caught more likely. (In most organisations every employee will have an authorised spending limit without higher approval, which may be $0 for a great many employees, but once you get to the C-suite, the limits may be high.)
Medibank specifically, as a listed company, would not want to go down that road. It would likely make a bad problem worse, as it did ultimately for Uber.
Another email from Medibank yesterday includes this disclosure:
Which of your data has been stolen
Based on our investigation, we can confirm the following data relating to your membership has been stolen:
• first name and surname
• gender
• date of birth
• email (where you have provided it to us)
• address
• phone number (where you have provided it to us)
• policy number
• Live Better activities & rewards data (where this applies to you)
We believe the criminal has not stolen:
|•|Credit card and banking details
|•|Your health claims data|
|•|Primary identity documents, such as a driver’s licence. Medibank does not collect primary identity documents for Australian resident customers except in exceptional circumstances|
|•|Health claims data for extras services (such as dental, physio, optical and psychology).
Since I didn’t make any health claims for my ambulance cover, from maybe 4 or 5 years ago when I had it, they have even less than taken with the Optus hack, as no credit card/bank account info was apparently taken.
The credit union I bank with were on the ball though, weeks ago they gave me a new account number, as they picked up that I previously had an automatic debit to Medibank. Not required given the above info from Medibank, but good to see they were proactive nevertheless.
The downside of that approach is that you then give up any pretence whatsoever that there is anyone outside of the government (e.g. a court) verifying in any way that restrictions on access to retained data that are laid down in law are being followed. You are essentially consenting to unfettered, permanent, mass surveillance.