Privacy watchdog opens investigation into Medibank breach

Australia’s privacy watchdog has launched an investigation into the Medibank data breach that compromised the personal details of 9.7 million customers, on the same day the would-be hackers posted the full trove of data on the dark web.

The Office of the Australian Information Commissioner (OAIC) announced the investigation on Thursday, having already conducted preliminary inquiries in the immediate aftermath of the breach in October.

A similar investigation into Optus’ September data breach – which compromised the personal information of around 10 million past and present customers, including identity credentials – is ongoing.

The critically underfunded OAIC received a $5.5 million boost in the October federal Budget to conduct the Optus inquiry. It is unclear whether the funding will also now be used to probe the Medibank breach.

In a statement, the OAIC said the new investigation will consider whether Medibank took “reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure”.

The investigation will also consider “whether Medibank took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs)”.

If Medibank is found to have seriously or repeatedly interfered with the privacy of its customers, it could face penalties of up to $2.2 million for each contravention under the Privacy Act, which remains under review.

Serious privacy breaches will be subject to far greater fines of $50 million, three times the value of any benefit obtained through the misuse of data, or 30 per cent of a company’s adjusted turnover in the relevant period, whatever is larger, in the future after new laws passed this week.

Information and Privacy Commissioner Angelene Falk can also make a determination requiring Medibank to “take steps to ensure the act or practice is not repeated or continued, and redress any loss or damage”.

The beginning of the investigation comes on the same day the alleged cybercriminals, suspected to be connected with the Russian-based ransomware-as-a-service crime group REvil, posted the remainder of the stolen Medibank customer data on the dark web.

Medibank is reportedly in the process of analysing the data, which amounts to over 5GB of comprised files, but the company believes it correlates to what was compromised in the cyber-attack.

Around 9.7 million current and former customers of Medibank and budget subsidiary ahm had their personal information, including names, dates of birth, address, phone numbers and email addresses, compromised in the data breach in September.

Of the 9.7 million customers, the health claims of around 480,000 customers were accessed. The claims included the “codes associated with diagnosis and procedures administered”, which the cybercriminals released in an attempt to force Medibank to pay a $15 million ransom.

The government has taken several steps to minimise the impact of the breach on customers, including by “placing protective security around government data” and engaging social media companies to prevent data from being hosted on the open internet.

The National Coordination Mechanism – an emergency management tool developed to respond to the Covid pandemic – was activated in response to the data breach in October, bringing together federal, state and territory government agencies and the private sector.

Do you know more? Contact James Riley via Email.

Leave a Comment