[April Bradford]

Health Insurer Medibank is the latest cyber attack victim​

Health insurer Medibank is the latest victim of a cyber security attack following the Optus breach last month.

On Thursday, 13 October, the company announced that it had detected unusual activity on its network. While Medibank did not find evidence that sensitive customer information had been accessed, the insurer still took steps to contain the situation.

In a press release, Medibank said: ‘As part of our response to this incident, Medibank will be isolating and removing access to some customer-facing systems to reduce the likelihood of damage to systems or data loss. As a result, our ahm and international student policy management systems have been taken offline. We expect these systems to be offline for most of the day.’

The insurer encouraged customers to contact their customer teams by phone if needed.

You can find their full statement here.

Speaking on the incident, Medibank CEO David Koczkar further reassured customers that they will be dealing with the matter with transparency.

He said: ‘We recognise the significant responsibility we have to the people who rely on us to look after their health and wellbeing and whose data we hold.

‘We are working around the clock to understand the full nature of the incident, and any additional impact this incident may have on our customers, our people and our broader ecosystem.’

Medibank serves 3.7 million members across Australia. Credit: Shutterstock​

On Reddit, Aussies commended Medibank for their response to the situation.

One said: ‘The CEO’s statement is already 100 times better than any drivel given by Optus.’

Another wrote: ‘Good to see a competent person with a competent reaction.’

A third was almost in disbelief: ‘Actual security and accountability? Is this real?’

The attack on Medibank pales compared to the Optus cyber incident that exposed millions of sensitive customer information and is now considered one of the country’s biggest cybersecurity breaches. The telecoms company has faced criticism from its customers and the government for how it handled the situation.

Another Redditor commented: ‘The way they're doing it should be law, mandatory and not up for discussion in boardrooms.’

Someone with experience dealing with security incidents said: ‘An organisation has 30 days to notify of a breach, so it is in law, it's 30 days because many breaches can take more than a week to establish what exactly has happened.’ They continued: ‘The fact that they have notified so quick suggests that they haven't had an incident that's affected multiple systems and have a high certainty of what has occurred.’

According to the Office of the Australian Information Commissioner, companies have 30 days to assess if a data breach is likely to result in serious harm. If they are able to mitigate the situation or conclude that the data breach won’t result in serious harm, then they are not required under Australian privacy laws to disclose the incident. Otherwise, they will have to notify affected individuals and the government of the extent of the breach. Individuals can file a complaint if they are unsatisfied with a company’s response.

One Redditor did not see the point of Medibank’s actions: ‘Someone got into their network, was somehow noticed, but accessed nothing of value? And they need to take systems offline?’

However, another user retorted: ‘I'd rather them take systems offline unnecessarily as a precaution than figure "Eh, it's probably fine."’

Another person said: ‘This is common practice to ensure maintenance of evidence. By taking it offline, further changes, etc. are not possible. Therefore, a full image can be taken and forensically analysed. It also stops immediate threats while things are patched and further secured just in case.’

StickmanCyber founder Ajay Unni said that Medibank is especially vulnerable due to the sensitive information it holds. However, he also said that it is encouraging to see the insurer take accountability for cyber-attacks and data breaches. ‘Being on the front foot and taking action, even when it may be disruptive to business, along with keeping customers and the public up-to-date, is a step in the right direction,’ the expert said to ABC.

Meanwhile, cybersecurity expert Shannon Sedgwick said that Medibank could take a number of days before learning the extent of the attack.

Speaking with Financial Review, he said: ‘If they were transparent about exactly what systems are impacted and what they store, that would be helpful.’ He added: ‘There’s an expectation around business ethics and disclosure. I would always suggest erring on the side of utter transparency and complete disclosure, letting the community in to let them know exactly what you’re doing and what you know so far.’

The attack on Optus last month prompted calls for Australia to adopt stricter privacy and data laws similar to the EU. Companies have also been urged to reassess how they handle customer data.

Medibank has committed to making timely updates on its investigation, which you can find here.

So what do you think? Are you pleased with Medibank’s handling of the cybersecurity incident, or does it leave much to be desired? Tell us in the comments below!

 

[Suzanne rose]

I received an email from AHM which is part of medibank to say they had a cyber attack and will be off line .
They have told me there is no compromise to my account and I'm happy with that as long as they are telling the truth

I'm with optus with home internet and was told by them my information was compromised.

Hopefully Vodafone is not next

 

[888D.C888]

I believe the Medibank CEO handled this unfortunate situation very well. It is always best to be proactive, up front and transparent.
Hopefully they catch these lowlife hackers causing all this mayhem.

Reminds me of a show I watched on the ABC about rooms of scammers & how they are duping innocent people out of thousands of dollars. All of these scammers & hackers are breaking the law & need to be held accountable.

 

[Ezzy]

Optus, Medibank, the Federal Police & who knows which other organisations. Nothing is sacred to these cretins & no person is safe from cyber attacks.

Fortunately the CEO of Medibank reacted quickly to avert further infiltration.

30 days to assess whether a breach is harmful or not before being required to notify authorities seems a long time to wait. I would be concerned about what damage could be done by a hacker if they accessed certain information. In the meantime a company is still doing an assessment & making a determination about a notification. Doesn't make me feel comfortable.

 

[freedy50]

Health insurer Medibank is the latest victim of a cyber security attack following the Optus breach last month.

On Thursday, 13 October, the company announced that it had detected unusual activity on its network. While Medibank did not find evidence that sensitive customer information had been accessed, the insurer still took steps to contain the situation.

In a press release, Medibank said: ‘As part of our response to this incident, Medibank will be isolating and removing access to some customer-facing systems to reduce the likelihood of damage to systems or data loss. As a result, our ahm and international student policy management systems have been taken offline. We expect these systems to be offline for most of the day.’

The insurer encouraged customers to contact their customer teams by phone if needed.

You can find their full statement here.

Speaking on the incident, Medibank CEO David Koczkar further reassured customers that they will be dealing with the matter with transparency.

He said: ‘We recognise the significant responsibility we have to the people who rely on us to look after their health and wellbeing and whose data we hold.

‘We are working around the clock to understand the full nature of the incident, and any additional impact this incident may have on our customers, our people and our broader ecosystem.’

Medibank serves 3.7 million members across Australia. Credit: Shutterstock​

On Reddit, Aussies commended Medibank for their response to the situation.

One said: ‘The CEO’s statement is already 100 times better than any drivel given by Optus.’

Another wrote: ‘Good to see a competent person with a competent reaction.’

A third was almost in disbelief: ‘Actual security and accountability? Is this real?’

The attack on Medibank pales compared to the Optus cyber incident that exposed millions of sensitive customer information and is now considered one of the country’s biggest cybersecurity breaches. The telecoms company has faced criticism from its customers and the government for how it handled the situation.

Another Redditor commented: ‘The way they're doing it should be law, mandatory and not up for discussion in boardrooms.’

Someone with experience dealing with security incidents said: ‘An organisation has 30 days to notify of a breach, so it is in law, it's 30 days because many breaches can take more than a week to establish what exactly has happened.’ They continued: ‘The fact that they have notified so quick suggests that they haven't had an incident that's affected multiple systems and have a high certainty of what has occurred.’

According to the Office of the Australian Information Commissioner, companies have 30 days to assess if a data breach is likely to result in serious harm. If they are able to mitigate the situation or conclude that the data breach won’t result in serious harm, then they are not required under Australian privacy laws to disclose the incident. Otherwise, they will have to notify affected individuals and the government of the extent of the breach. Individuals can file a complaint if they are unsatisfied with a company’s response.

One Redditor did not see the point of Medibank’s actions: ‘Someone got into their network, was somehow noticed, but accessed nothing of value? And they need to take systems offline?’

However, another user retorted: ‘I'd rather them take systems offline unnecessarily as a precaution than figure "Eh, it's probably fine."’

Another person said: ‘This is common practice to ensure maintenance of evidence. By taking it offline, further changes, etc. are not possible. Therefore, a full image can be taken and forensically analysed. It also stops immediate threats while things are patched and further secured just in case.’

StickmanCyber founder Ajay Unni said that Medibank is especially vulnerable due to the sensitive information it holds. However, he also said that it is encouraging to see the insurer take accountability for cyber-attacks and data breaches. ‘Being on the front foot and taking action, even when it may be disruptive to business, along with keeping customers and the public up-to-date, is a step in the right direction,’ the expert said to ABC.

Meanwhile, cybersecurity expert Shannon Sedgwick said that Medibank could take a number of days before learning the extent of the attack.

Speaking with Financial Review, he said: ‘If they were transparent about exactly what systems are impacted and what they store, that would be helpful.’ He added: ‘There’s an expectation around business ethics and disclosure. I would always suggest erring on the side of utter transparency and complete disclosure, letting the community in to let them know exactly what you’re doing and what you know so far.’

The attack on Optus last month prompted calls for Australia to adopt stricter privacy and data laws similar to the EU. Companies have also been urged to reassess how they handle customer data.

Medibank has committed to making timely updates on its investigation, which you can find here.

So what do you think? Are you pleased with Medibank’s handling of the cybersecurity incident, or does it leave much to be desired? Tell us in the comments below!

It's just one of those things these days. There's cyber attacks by silly people every day on companies. If a company has a very good protected IT system they won't get into it so they'll move on to someone else. "Cyber breaching" is a current trend so will keep being reported on at the moment.

And regarding "cyber breaching", I'm with Optus and will stay with them. Certainly not worth panicking about what these dodgy people have alleged to have done with information they've picked up from them. The main people panicking are the ones that don't know how companies IT systems work and are being wound up by the media about it.