Experts say if Medibank negotiates with criminals it will open the floodgates and make Australia a target for even more malicious attacks by cybercriminals.
A recent report by McGrath Nicoll indicates that around 80% of businesses chose to pay the ransom and the average amount of cyber ransom paid was $1.01 million.
Fergus Hanson of the Australian Strategic Policy Institute said the willingness of corporate boards to pay for their exit from difficult positions has thrust Australia into the cybercriminal spotlight.
“The problem we have in Australia for businesses is that they are just haemorrhaging money from these completely unproductive activities with cybercriminal gangs overseas who are just breaking into this system by stealing their stuff or encrypting their files and then demanding payment for non-productive service they provide,” says Hanson.
“We need to get to a point where we stop paying ransoms because cybercriminals just wouldn’t target Australia if it was illegal. They target people who pay and if we don’t pay they won’t target us .
Hanson says stopping “parasites” from draining corporate funds that could be productively deployed in research and development or other investments will take a tough line from federal cybersecurity minister Clare O. ‘Neill.
“We need to ban ransoms,” he said, adding that the blame lies entirely with O’Neil, who has yet to publicly rebuke Medibank for letting an entire week pass before revealing things were worse than expected.
O’Neil’s leniency stands in stark contrast to her approach to Optus, where she spoke out early on in her public derision of her role in exaggerating the sophistication of the hacking attempt.
But she could have Medibank on a barrel. If he sticks to his ‘Team Australia’ urgings and refuses to pay, O’Neil could continue to go easy on the insurer who presided over the most invasive privacy breach in the company’s history. ‘Australia.
Right now, O’Neil and Medibank blame the criminals squarely because they apologize to its members “for this crime” — not for their failure to protect their customers’ data.
A decision not to pay the ransom risks exposing the private health records of millions of Medibank members, past and present. These range from simply visiting a physio or dentist, to specialist psychiatric support for mental illness or addiction, to termination of pregnancy or even for those fleeing domestic violence situations.
It’s the test that corporate governance experts say Australian boards need speed-dial lawyers for when – not if – that time comes. Have your game plan ready to tweak and don’t start from scratch, is the advice of the Australian Institute of Company Directors, which suffered its own IT mishap last week.
Cybersecurity Cooperative Research Center director general Rachael Falk said government guidelines are not to pay ransoms, although it is not illegal to do so.
“Really, it’s up to the companies to decide. We say in our principles that it is important to get legal advice in advance so that the council is really clear on the legalities well in advance,” she says.
“We tell companies to make sure that they have obtained legal advice well in advance, so that the board of directors knows and is able to decide what they are doing soon enough, or can debate this position, but they don’t start from scratch at that point.
To lose control
Pennies must have started to fall as Medibank chief executive David Koczkar lost control of what was happening at the beleaguered health insurer on Saturday when the federal government went into crisis.
Over the weekend, O’Neil brought together the “brightest and smartest” in the country to battle the criminal “scum” engaging in what she described as a “dog act” under the auspices of the all-powerful national coordination mechanism.
The hyperbole was flying – as was the data of over 4 million Australians.
What has since emerged is a clearer picture of the number of Australians involved in this troubling crisis. On Tuesday, Medibank said another 1,000 sensitive pieces of information about its customers’ health, including claims histories and diagnoses, had been revealed to it by the criminals.
And just a day later, at the bottom of a three-page ad came a startling confession from Koczkar that the criminals now have. accessed information for each of its 4 million customers and an unquantified number of former customers.
“Our investigation has now established that this criminal accessed all of our private health insurance customers’ personal data and significant amounts of their health claims data,” he said at the very bottom of the press release. the ASX.
It was time for Medibank to face the music on Wednesday after trading just a day and a half in the two weeks since it first attempted to play down the extent of the data breach.
Its shares sold off sharply when trading resumed, wiping 18% or nearly $1.8 billion of its market value in one day. Shares fell another 1.9% on Friday, down nearly a fifth, as investors digested the news piecemeal.
“The first reaction from companies is always like, ‘We couldn’t have been redone because we would have noticed. They must have stolen all the credentials, and we’ll just reset the passwords and enable two-factor authentication, and we’ll be fine,” Hanson says.
“And then they gradually find out that they’ve been redone, and usually extensively, as we’ve seen.”
A “compromised ID” – fancy language for a stolen password – belonging to someone at Medibank who had high-level access to customer data turned out to be irrefutable evidence.
But as Medibank searched for criminals entering through the backdoor, or an impending ransomware attack that Australia’s Signals Directorate learned about on the dark web, the criminals broke in with a key and moved into their homes.
“If they stole credentials such as those of a system administrator or internal IT professional, then they would have much broader access than just a general user, whose access is limited to the sphere of their role”, explains a cyber-expert. Shannon Sedgwick.
“The target of all malicious actors is to gain access to privileged credentials, then they can do whatever they want. The stolen credentials create a method of entry.
Another IT expert who has worked with health insurers who wished to remain anonymous because he is not authorized to speak with the media says having credentials will make it harder, but not impossible, to see what information was accessed and taken.
“If they can’t see what’s been deleted and copied, they’re not properly monitoring people with credentials,” he says.
He adds that it’s possible multi-factor authentication was played – meaning the criminal with the credentials also grabbed a phone or email account, or pretended to be at the physical premises. of Medibank where multi-factor authentication would probably not have been necessary.
Koczkar said FRG weekend last week that the insurer was considering whether to strengthen two-factor authentication as part of its “forensic investigation” into the whole saga.
Medibank emails to customers now explain that each of their files has been accessed, but they will only hear from the insurer if there is evidence that their information was taken.
He still could not say on Friday how he was resolving the difference, but he only contacted those whose data was shared by criminals as “proof of life” in a growing hostage situation.
On Thursday, Medibank told the media – not the ASX – that the contamination had seeped into the public hospital system and South Australian government-backed services provided by Medibank in a home hospital to around 4,400 customers.
Medibank says it has similar partnerships across the country with various state governments, hinting that more patients in the public system could be involved.
One of the world’s foremost experts in corporate cybersecurity, Kris Lovejoy, global head of security and resilience for IBM spin-off Kyndryl, landed in Australia amid the Medibank maelstrom earlier this week . Although not hired by the company, she said globally it is a common fate that companies are unable to immediately assess the damage.
Justified questions are being asked about whether Medibank misled the market and customers about the seriousness of the situation, but Lovejoy’s comments to FRG weekend suggest he was trying not to reveal that he was largely in the dark.
“Having had many opportunities to deal with these things, often when you have an event like this you don’t know what’s going on. You don’t even know it’s an event,” she says.
“We find that for every ransomware event or data breach that was disclosed, there are probably 99 more that weren’t.”
It might seem easy as an outsider to assume that Medibank could look through its networks and spot weak spots and where data is leaking from. But Lovejoy says a quagmire of old legacy systems and different company departments implementing technology differently can paint a confusing picture.
“There’s a lot of shadow IT going on, developers are developing, you’re hiring a lot of third parties, you’re putting apps together using a bunch of widgets that are basically bought off the shelf in some sort of tech supermarket” , she said. said.
“They put it together, then they kick it out without any security checks.”
Medibank’s board can expect a heated annual meeting on November 16. Two recent appointees, Fagg and Everingham, a former Seek and Yahoo executive, are up for reelection, and Nicholls and David Fagan, who have both served on Medibank’s board since 2014, are both up for re-election.