As hackers continue to release data from Medibank onto the dark web, the Australian health insurance company has been criticised for the “appalling” level of transparency it has shown over the past month, with details of how the breach occurred yet to be revealed.

Medibank is Australia’s largest health insurance company, but little is known about what cybersecurity protections it had in place prior to the breach. (Photo by TK Kurikawa)

Earlier today Medibank released an update on the cyberattack, which saw personal information belonging to 9.7 million of its past and present customers stolen. This data is now being incrementally released onto the dark web by the unidentified hackers.

Medibank CEO David Koczkar says his company will not pay the ransom demanded, and has asked the public not to download the illicit data or try to do anything illegal with it. “Anyone who downloads this data from the dark web, which is more complicated than searching for information in a public internet forum, and attempts to profit from it, is committing a crime,” he explains. 

“These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care,” Koczkar added. “We remain committed to fully and transparently communicating with customers and we will continue to contact customers whose data has been released on the dark web,” he continues.

Medibank lack of transparency ‘appalling’

However, Medibank has yet to release any details of how the incident happened in the first place, raising questions about how transparent the company is being. “The lack of transparency [from Medibank] has been appalling,” says Greg Austin, lead in cyber power and future conflict at the International Institute for Strategic Studies. “Their lack of openness to the Australian public on what went wrong and what they’re going to do to fix it is non-existent. There’s been nothing, and their lack of engagement with their outraged customers is palpable.” 

Austin adds: “Apart from the fact that they were hacked, they’ve said nothing about what protection measures they had in place to make sure that hackers couldn’t get access to all of these records. They’ve said nothing about what they’re going to do internally in terms of new investments in cybersecurity. They’ve said zero.”

While Medibank has offered free identity monitoring services to customers impacted by the breach, Austin believes it is unlikely to stop the company from facing legal action from disgruntled clients. “The quality of the data that’s been released is staggeringly damaging and personal,” he says.

Medibank is Australia’s largest health insurance company, but little is known about what cybersecurity protections it had in place prior to the breach, Austin says. “The question we don’t know is, how much was Medibank paying for cybersecurity? How big was the cybersecurity department? Was it expanding? Was it shrinking?”, he says. “A company like Medibank has the assets to prevent the loss of this data through simple, disciplined security measures, and they apparently didn’t take them. Medibank needs to explain itself.”

Medibank could face a hefty bill for cyberattack

Medibank has announced that it is planning to put aside AU$25-35m to cover costs arising from the cyberattack. But analyst Matt Ingram told Business Insider that the estimate is closer to Aus $480m, taking into account the legal fees the company may incur from losing such a large amount of valuable data.

The compensation bill could go up to AU$960 million if 10% of affected customers join a mooted class-action lawsuit and are paid the maximum AU$20,000 in damages, Ingram added. 

Cyberattacks are a very real threat to healthcare sector companies in Australia. According to the Australian Associated Press, healthcare providers bore the brunt of the country’s attacks in the first half of 2022.

Australia 'punches back' against cybercriminals

Meanwhile, telecoms provider Optus has also announced it will be paying AU$140m to cover the costs of the damages caused by a major hack it suffered in September, which saw the data of 10 million customers stolen, some 2.8 million of which had their personal information exposed. The company is optimistic that its recovery after the breach will be quick. 

Yuen Kuan Moon, CEO of Optus's parent company Singtel, said: “We view this matter very seriously as cybersecurity and the protection of our customers’ information is of critical importance to the Singtel Group." 

The Australian government plans to take action following the recent spate of breaches. Home affairs minister Clare O’Neil has said that a ban on ransomware payments may be necessary to dissuade businesses from paying criminals. “There’s some really big policy questions that we’re going to need to think about and consult on, and we’re going to do that in the context of the cybersecurity strategy. We’ll have a look at (making ransom payments illegal),” she said. "This is Australia standing up and punching back."

On Saturday the government announced a joint taskforce between the police and security services was being set up to "investigate, target and disrupt cybercriminal syndicates with a priority on ransomware threat groups".

"This operation will prioritise targets based on the harm they can cause and the threat to our national interests. It will complement the work we do with our international partners and allies," a government statement said. "This operation will collect intelligence and identify ringleaders, networks and infrastructure in order to disrupt and stop their operations – regardless of where they are."

Austin says this kind of coordinated action is required to boost Australian cybersecurity, as many businesses are reticent to face up to the threats they face. “In spite of the best efforts of governments, there are pockets of the economy and individual corporations who just refuse to do the right thing,” he says. “Clare O'Neill has said that Australia is in a 'cybersecurity slumber' and so that's an important statement which I think it's fairly true. Many large corporations and even many government departments really don't have the first clue what's going on."

Read more: CISOs must convince their C-Suites of the benefits of zero trust