O’Neil details measures to mitigate Medibank breach harms

Brandon How

The federal government has engaged social media companies and placed protections on government data as part of initial measures designed to respond to the release of stolen Medibank customer data.

Cybersecurity minister Clare O’Neil detailed several measures being taken in response to the release of information on the dark web by a ransomware group on Wednesday.

The Australian Federal Police has expanded Operation Guardian, initially launched for the Optus data breach, to protect Medibank customers in light of the development.

Cybersecurity minister Clare O’Neil. Image: ANU National Security College

Following a National Coordination Mechanism (NCM) meeting on Wednesday morning, also attended by Health minister Mark Butler, Ms O’Neil told question time in Parliament that the eSafety Commissioner is an active part of the NCM.

The NCM brings agencies across the federal government, state and territory governments, and private sector stakeholders to communicate and collaborate throughout a response to a crisis. It was activated for the first time outside of the COVID-19 pandemic in response to the Medibank data breach.

Ahead of the meeting, Ms O’Neil said social media companies have been engaged through the NCM to ensure the ill-gotten data is not hosted on the open internet and encouraged citizens not to republish it.

“We have worked with [social media companies] collaboratively to see how they can meet their public obligations to make sure that whenever possible, information is immediately taken down, because that information is private, and it belongs to the person who has been victimised,” Ms O’Neil said.

She added that republishing data obtained through the data breach and failing to take it down as soon as possible would benefit those responsible for the hack. The hackers are expected to continue leaking the data stolen from Medibank.

Other measures include “placing protective security around government data”, state police working with affected individuals, organising mental health support and counselling, and “putting in place management plans around people who have some very specific vulnerabilities”.

The alleged Medibank hacker began posting data believed to be stolen from Medibank’s systems on dark web forums early on Wednesday morning after the health insurer refused to pay a ransom.

This included some health claims data and other personal data like names, addresses, dates of birth, phone numbers, email addresses, and Medicare numbers (for customers of Medibank subsidiary ahm).

The AFP’s Operation Guardian was launched on September 30 through the Joint Policing Cybercrime Coordination Centre, a partnership between law enforcement, the private sector and industry.

In addition to identifying the individuals at risk of identity fraud, it includes monitoring the internet and dark web for those looking to exploit the data, as well as engaging with the financial service industry to detect criminal activity associated with the data breach.

Another operation, Operation Pallidus, is already underway to investigate the criminal data breach in collaboration with Commonwealth agencies and Five Eyes law enforcement partners, including the FBI.

AFP Cyber Command assistant commissioner Justine Gough said the international nature of cybercrime necessitates collaboration with other jurisdictions.

“We have significant powers, determination and access to international law enforcement networks to help investigate this breach. This is not just an attack on an Australian business. Law enforcement agencies across the globe know this a crime type that is borderless and requires evidence and capabilities to be shared,” Ms Gough said.

The extent of the data breach was revealed on Monday, with Medibank announcing to the ASX that data belonging to 9.7 million current and former Medibank, ahm, and international student customers had been accessed by the hackers.

At the time, Medibank stated that it is “required by law to retain certain customer (including former customer) information for particular periods of time, generally for 7 years from when a customer leaves us, but in some instances longer”.

Previously describing the Medibank data breach as a “dog act”, Ms O’Neil on Wednesday instead said she did not “have words to express the disgust I feel at crimes of this nature”.

“The fact that people’s personal health information is being held over their head is just disgusting to me,” Ms O’Neil added.

Do you know more? Contact James Riley via Email.

Leave a Comment