NEWS: OAIC Takes Civil Penalty Action Against Medibank
Today the Office of the Australian Information Commissioner (OAIC) announced in a press release that they have filed civil penalty proceedings against Medibank as a result of the findings from the investigation regarding the Medibank data breach of October 2022. They allege that between March 2021 and October 2022, Medibank failed to take reasonable steps to protect the sensitive information of 9.7 million of its customers from misuse or unauthorised access, therefore breaching the Privacy Act 1988.
“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime.”
This announcement comes nineteen months after the famous cyber attack, and four months after the Australian Government imposed its first ever cyber sanction on a foreign cybercriminal. Seeing as it has been a while, let’s refresh our minds about one of the highest profile cyber attacks in Australian history.
The Medibank Hack - And a Revision on Ransomware
Starting on the 13th of October 2022, Health insurance giant Medibank began noticing ‘unusual activity’ which four days later was recognised as “consistent with the precursors of a ransomware attack”.
For those new to cyber, ‘ransomware’ is essentially malicious software that infects a victim’s digital systems and can then either lock the victim out of their services and data using encryption, or exfiltrate/steal sensitive data to then sell or publicly release. In any case, ransomware as you can imagine, results in extortion with the hacker demanding a ransom be paid to unlock services, withdraw the sale, and/or return the stolen data. In most cases, the ransom demand is calculated to be achievable for the victim, and even after the ransom is paid, the criminals will still sell the data anyway.
Source: Servicenow
So Medibank gets hit with a ransomware attack, the hacker group claims to have stolen 200GB of sensitive data, and demands a US$10 ransom be paid otherwise the data will be posted on the dark web, starting with prominent individuals such as celebrities, public figures, even influencers. In November Medibank confirms the legitimacy of the data, and refuses to pay the ransom. On the 10th of November, one day after releasing their “naughty list” which detailed sensitive medical histories such as drug addictions and mental health treatments, the cyber criminal group release the “abortions” data on the dark web. The next day the Australian Federal Police (AFP) linked the attack to a Russian hacking group which is globally referred to as REvil.
The Man & The Group Behind The Attack
REvil is a Russian-based Ransomware-as-a-Service (RaaS) group, meaning they develop and sell sophisticated ransomware to less experienced hackers and charge them a fee. REvil was first identified in April 2019, and since then has been used by multiple threat groups against organizations in the manufacturing, transportation, electric, and recently medical sectors.
On the 23rd of January 2024, the Australian Government imposed it’s first ever cyber sanctions under the Autonomous Sanctions Act 2011 against an individual for cybercrime. That individual was Aleksandr Ermakov.
Aleksandr Ermakov, 33, of Russia. Image: Australian Department of Foreign Affairs and Trade.
“Financial sanctions now make it a criminal offence, punishable by up to 10 years’ imprisonment and heavy fines, to provide assets to Aleksandr Ermakov or to use or deal with his assets, including through cryptocurrency wallets or ransomware payments. Aleksandr Ermakov is also banned from travelling to, or remaining in, Australia.”
These sanctions were a display to cybercriminals globally, that Australia would take action against anyone who tried to disrupt our way of living through cyber attacks. Since then, sanctions have been imposed on a second Russian cybercriminal in an unrelated case, which you can find more about in our blog here.
What Does This Lawsuit Mean?
For the OAIC to make these claims, there must be substantial evidence in their recent report of findings from their investigation into Medibank. This is separate to the Maurice Blackburn class-action lawsuit on behalf of the affected customers. Obviously this isn’t good news for Medibank itself, considering their annual profits dropped from $560 million to its recent report of $343.2 million, not to mention the more than the $76 million cost of the breach which includes Medibank’s cyber security uplift. Now Medibank are staring down the barrel of a maximum penalty of over $21 TRILLION.
“For these proceedings, the Federal Court can impose a civil penalty of up to $2,220,000 for each contravention of section 13G (as per the penalty rate applicable from March 2021 to October 2022). Whether a civil penalty order is made and the amount are matters before the court.”
However, this is good for Australians. It shows us the Government is taking steps to fortify Australia, and will come down hard on organisations who fail to protect the privacy of their customers when it is within their ability to do so. Medibank annually profited $560 million prior to the attack, so investing in better cyber security was well within their ability. This will continue to reinforce the idea that cyber security needs to be heavily considered at the executive level which will be achieved by the appointment of CISOs, compliance with regulatory frameworks, and a realistic consideration to cyber threat intelligence.
Let this also serve as a reminder that even small businesses have a responsibility to protect the data of their customers. Simple business processes such as invoices can contain sufficient information to be used against a victim. If you are unsure, consider hiring a specialist to look over your business practices to help you make informed decisions about your information security.
References:
https://attack.mitre.org/software/S0496/
https://www.cyberdaily.au/security/10219-medibank-continues-to-count-the-cost-of-2022-cyber-attack
https://www.mauriceblackburn.com.au/class-actions/join-a-class-action/medibank-data-breach/
https://www.oaic.gov.au/newsroom/oaic-takes-civil-penalty-action-against-medibank
https://www.asd.gov.au/news-events-speeches/news/2024-01-24-cyber-sanction-imposed-russian-cybercriminal-2022-medibank-private-compromise
https://krebsonsecurity.com/2024/01/who-is-alleged-medibank-hacker-aleksandr-ermakov/
https://www.servicenow.com/products/governance-risk-and-compliance/what-is-ransomware.html