The world of cybercrime is inhabited by tech-savvy operators working in the dark recesses of the internet. But as the latest attack on Medibank has proved, their actions can have a direct and distressing impact on millions of people.
In the Medibank breach, it is thought that 200 gigabytes of data was stolen, including personally identifiable information such as names, dates of birth, addresses, phone numbers and Medicare numbers, and sensitive personal information about medical diagnoses and procedures. This attack followed a cyber breach at Optus, which affected more than 10 million former and current customers, and is expected to cost the company at least $140 million.
For the attackers who stole customer data from Medibank, causing as much damage as possible is good for business.
While the methods of those carrying out the attacks are technically complex, often involving an ecosystem of specialised criminal groups and even nation states working together, the end game is always the same: forcing companies or individuals to pay for either the return of stolen data or the withdrawal of ransomware.
The Medibank hackers, a ransomware gang that the Australian Federal Police believe is based in Russia, have claimed they demanded $US10 million ($15 million) from the health insurer for the return of the stolen information. After consulting cybercrime experts, Medibank refused to pay up, a decision welcomed by the federal government.
It was the correct call. As Medibank chief executive David Koczkar stated this week: “All the advice is that paying does not guarantee that the data will be returned. It dramatically increases the chance of people being exploited and more Australians being at risk.” The terrible reality is that because it is very difficult to catch and prosecute cybercriminals who are often based overseas (in this instance in Russia, whose government would have little incentive currently to help), they have the ability play by their own rules.
The consequences for some Medibank customers and staff are all too real. The criminals have made good on threats to weaponise the customer information. The first data drop was posted to the dark web just a day after the health insurer said it had refused to pay up.
That tranche of information featured a list of Medibank employees, including their names, work email addresses and details of their mobile phones and computers, plus the personally identifiable information of more than 500,000 international students, and the details of medical diagnoses and procedures of several hundred people. In a bid to increase pressure on Medibank, the cybercriminals have continued to drip feed more private data, with the latest on Friday morning revealing the medical records of another 240 people.
With the worst-case scenario playing out almost daily, it is clear that Australian businesses and governments need to do more to stem the tide of cyberattacks. The scale of the problem is enormous. It’s estimated that last year, criminals managed to secure more than $US600 million from their racket globally. In Australia, the top cybersecurity agency received reports of more than 76,000 cybercrimes and 447 ransomware attacks over the past financial year. The average cost of cybercrime to small businesses was $39,000, rising to $88,000 for medium-sized companies.
In response to the spate of recent cyberattacks, the federal government is pushing through parliament amendments to the Privacy Act. They include increasing the maximum penalty for serious or repeated breaches of the act from $2.2 million to $50 million, forcing companies to cut back the vast amounts of sensitive data they retain about their customers and beefing up the power of the Australian Information Commissioner.