At the tail end of 2022, Australia was rocked by two significant cyberattacks impacting telecommunications company Optus and private health insurance provider Medibank. Professor and Red Sift Special Advisor, Ciaran Martin, was there in November as the story broke on the Medibank breach. Red Sift’s Head of Cyber Governance and Tech100 Women Winner, Dr. Rois Ni Thuama, recently caught up with Ciaran to discuss what he thought the Australian law enforcement and media had done well with Medibank, as well as the areas where he thinks there could be an improvement.
In October 2022, Medibank announced that it had suffered a cyber incident, with cyber criminals accessing sensitive medical data on 9.7 million customers, over one-third of Australian citizens.
Although the attack was not disruptive to Medibank, meaning nobody's healthcare suffered due to the attack, they were facing a very real threat of ransom demand.
Medibank made the difficult, but smart, decision not to pay the ransom. Initially, hackers promised they did not intend to publish sensitive data, rather MediBank would be allowed back into their system upon payment of the ransom. After three days of silence from Medibank, the criminals decided they would begin releasing sensitive data on the dark web, starting with women’s reproductive care, mental health, and substance abuse and addiction records.
Listen to the full discussion here where Rois and Ciaran expand the discussion on:
Because of the sensitive nature of these documents, in most instances, this would have created mass fear among Australian citizens. However, according to Ciaran, “Australian law enforcement and the media did an excellent job of talking about and sharing information with civilians responsibly. Rather than add fuel to the fire, media publications chose not to start reporting on the individual files that were being released, or even give much coverage to the nature of the documents. This move really devalued the extortion demand to an extent because of the strategic move to reduce the fear of private information exposure.”
- Nation-state involvement in the attack
- How governments - specifically the US - have historically handled cybersecurity legislation and Nation-state actors
- Ideas on how we can improve breach reporting, policies, and legislation in the future