A tale of two cyber-attacks - Lessons learnt from the Medibank and Optus data breaches
Posted on October 24, 2022
Optus and Medibank have become the latest corporate casualties to suffer significant data breaches over the past month.
On 22 September 2022, Optus fell prey to a ransomware attack which resulted in millions of Optus customers’ sensitive information (such as, identity document numbers, email addresses, phone numbers and residential addresses) being compromised. The identity of the hacker is not yet known.
Less than a month after that cyber-attack, Medibank, a leading health insurer, was subject to a separate and possibly more significant cyber-attack. It is believed that the hacker has stolen over 200GB of customer information including Medicare numbers and medical history. Medibank is still investigating the identity of the hacker, but it is thought that access was gained using fake or compromised user credentials.
Both data breaches will be subject to notification under the Notifiable Data Breaches Scheme in the Privacy Act 1988 (Cth).
What is a data breach?
A data breach occurs when personal information (PI) held by an entity is disclosed, lost, or accessed by an unauthorised third party. PI may include:
- ‘sensitive information’ (includes information or opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation or criminal record, provided the information or opinion otherwise meets the definition of personal information);
- ‘health information’ (which is also ‘sensitive information’);
- ‘credit information;
- ‘employee record’ information; and
- ‘tax file number information.
A data breach may have occurred when there has been:
- Disclosure of an individual’s information to a cyber-criminal or “scammer” as a result of inadequate identity verification procedures.
- Loss or theft of physical devices (laptops, storage devices) or hard copy records which contain sensitive information.
- Inadvertent disclosure of PI (eg. an email mistakenly sent to the wrong address).
- Unauthorised access to personal or sensitive documents by an employee or officer of a business.
The Notifiable Data Breaches Scheme
The Notifiable Data Breaches Scheme (NDB Scheme) is in Part IIIC of the Privacy Act. For more information on the NDB scheme and how it operates, please follow the link here to see our previous article dated 27 May 2021 on cyber breach notification.
Are Optus and Medibank caught under the NDB Scheme?
Optus and Medibank will both be required to notify the Office of the Information Commissioner (OAIC) of their respective data breaches. Both companies turn over more than $3 million annually and each has experienced data breaches which have compromised sensitive information with a significant likelihood of causing serious harm to affected individuals.
Medibank’s obligations under the My Health Records Act 2012 (Cth)
In parallel with the NDB Scheme, Medibank are also required to notify OAIC under the My Health Records Act 2012 (Cth) (MHR Act).
The MHR Act requires Medibank to notify OAIC of the unauthorised disclosure of medical record. Civil penalties may be imposed for breaches of the MHR Act.
Preparing a data breach response plan
Data breaches such as those suffered by Optus and Medibank are on the increase. A fast response to a suspected eligible data breach is critical in limiting the consequent harm. Businesses and individuals must have in place a data breach response plan which enables them to respond quickly and effectively in the event of an attack.
An effective data breach response plan will allow you to:
- Meet your notification obligations under the Privacy Act or MHR Act.
- Limit the harm caused by, and the consequences of, a data breach.
- Preserve the trust of affected individuals and the public at large.
We are here to help
Data breaches can have a serious impact, and Australian businesses and individuals must have in place robust cyber-resilience strategies to identify and respond quickly to threats. It is prudent to protect yourself by adopting and maintaining practices such as:
- Securing and monitoring your devices and accounts for unusual activity, and ensure they have the latest security updates; and
- Enabling multi‑factor authentication for all accounts.
Have you or your business been affected by the Optus and/or Medibank cyber-attack(s) or experienced cyber security concerns of a similar nature? We have assisted many clients who have suffered actual or suspected data breaches, and helped many others implement response plans.
A moderate amount of planning and forethought can save a lot of grief and expense later on. Please contact us for further advice or help.
