Hackers release Medibank private details as corporate punishment looms
Companies could soon face bigger penalties for data breaches, after new laws passed federal parliament's lower house as Medibank customers' data is released by hackers.
The bill will hike up fines for breaches from $2.2 million to either $50 million, 30 per cent of a company's turnover during the affected period, or three times the value of any benefit gained through the information misuse.
The proposal was introduced in the wake of the Optus and Medibank hack, which has affected millions of customers.
Attorney-General Mark Dreyfus said companies needed to do better to prevent large data breaches from happening.
"Significant privacy breaches in recent weeks have shown existing safeguards are outdated and inadequate.
"This bill makes clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business."
Debate on the laws will now move to the upper house but will be cold comfort for Medibank customers whose data is now being leaked online by hackers.
Hackers have begun publishing the data on the dark web after the health insurer refused to pay a ransom fee.
Hundreds of names, addresses, birthdates and Medicare details were being posted under "good-list" and "naughty-list" on a blog belonging to the group. The hackers had demanded a ransom to stop them from releasing the data but Medibank earlier this week said it would not pay it because it would encourage further crime.
Shortly after midnight, the group posted the first lists, saying in the early hours of Wednesday:
"Looking back that data is stored not very understandable format (table dumps) we'll take some time to sort it out.
"We'll continue posting data partially, need some time to do it pretty."
The hackers also appeared to have revealed screenshots of private messages recently exchanged between themselves and Medibank representatives.
Medibank said in a statement on Wednesday the files appeared to be "a sample of the data that we earlier determined was accessed by the criminal":
"This data includes personal data such as names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for ahm customers (not expiry dates), in some cases passport numbers for our international students (not expiry dates) and some health claims data.
"We will continue to work around the clock to inform customers of what data we believe has been stolen and any of their data included in the files on the dark web and provide advice on what customers should do."
Medibank said it expected the criminals would continue to release files on the dark web. Medibank CEO David Koczkar said:
"We unreservedly apologise to our customers.
"This is a criminal act designed to harm our customers and cause distress.
"We take seriously our responsibility to safeguard our customers and we stand ready to support them."
Medibank has previously confirmed almost 500,000 health claims were stolen, along with personal information, when the unnamed group hacked into its system weeks ago.
Some 9.7 million current and former customers have been affected.
No credit card or banking details were accessed.
Assistant treasurer Stephen Jones said Australia needed to quickly lift protection against cyber threats.
Medibank is certainly not alone in refusing to pay a ransom demand, with a recent report finding 19 per cent of Australian companies responded to ransomware attacks by paying the fee.
Mimecast's 2022 State of Ransomware Readiness report found 20 per cent of companies were asked to pay between $500,000 and $999,999 for their information
Some 13 per cent of the businesses surveyed said the total cost of the ransomware attacks they'd experienced was between $1 million and $2 million.
The federal bill will also allow the Australian information commissioner to have greater power to resolve privacy breaches and be able to share information about the breaches to help affected customers.
However, the Australian Information Industry Association said the government should instead take a "positive, collaborative approach" to what is a complex issue.
Association CEO Simon Bush said the recent cyber attacks on major businesses were concerning for all Australians:
"We rightly have high expectations of organisations who have our data.
"That is why we want the government and industry to work together to uplift cyber security and data governance across all sectors.
"Rather than punishing businesses acting in good faith for being the subject of attacks and breaches, some of which may be beyond their control or instigated by sophisticated actors, we want to see the government work to implement best-practice data security and work with industry to uplift cyber security across the board."
Mr Bush said the Privacy Act review was the best place for dealing with such issues, and the government should focus on lifting cyber security skills in the Australian workforce.
"Our members tell us regularly that hiring staff skilled in cyber security is one of the most in-demand ICT skills, but this is also one of the leading skills our members tell us they are unable to adequately source in Australia."