Data breaches at scale: implications of the Optus and Medibank breaches

Technology risk = whole of business risk

If there was still anyone out there who thinks of cyber risk as a niche IT issue rather than a whole of business risk, that can surely no longer be the case following the 2022 data breaches impacting Optus and Medibank Private.

When the Optus hack was initially announced, it was the most serious data breach in Australian history with nearly half of Australia's adult population impacted by the release of their personal data. For up to two million Australians, that data included identity information such as passports, driver’s licences and Medicare numbers totalling more than 100 points of identification. This translates to information sufficient to open bank accounts, credit cards and apply for loans, exposing the victims - Optus’ customers and former customers - to serious identity fraud.

This breach was later eclipsed by the even more devastating news that the Russian hacking group behind the Medibank Private breach published 6.5 gigabytes of stolen data impacting 9.7 million Australians. Information published includes sensitive information such as medical histories detailing drug addiction, medical procedures such as terminated pregnancies and mental health diagnoses.

There is no doubt that in both the Optus and Medibank Private cyber events, the companies were required to report their breaches to the individuals impacted and to the Office of the Australian Information Commissioner, because the incidents amounted to Notifiable Data Breaches within the meaning of the Privacy Act 1988. (For entities with annual turnover of more than $3Million, the Act requires mandatory notification of data breaches where there is a likelihood of serious personal harm to an individual to whom the information relates).

How did these breaches occur?

Both companies have declined to publicly reveal full details as to how the incidents occurred, understandably wanting to limit any exposure to further similar cyber incidents and no doubt being mindful of the legal implications.

The following descriptions are based on a range of media articles and public statements, full details of which have not been confirmed by either Optus or Medibank.

It appears that the Optus breach occurred following a development project which enabled the developers to have access to all customer data. Once the project was concluded a hacker was able to access that same information via the internet, because of a failure to close off an API, or Application Programming Interface, which allows two software systems to talk to each other.

While the incident was initially described as a “sophisticated” cyberattack by Optus’ CEO, this description was refuted by Australia's cyber security minister, Clare O'Neil. Based on what we know at the date of writing, the breach might have been avoided had a subsequent, independent audit team reviewed the closure of the project.

The Medibank Private breach, on the other hand, reportedly occurred when hackers were able to access all of Medibank's records via breached login credentials held by a person with high level network access privileges. The hackers first entered the system to collect information about Medibank’s databases and network and next they exfiltrated much if not all of Medibank’s customer data.

One media report suggested that the hackers were able to access the system via a password stored in a single individual’s browser on a computer which was accessed remotely. This suggests that there was an absence of two factor authentication such as a code, token or authenticator app which would have prevented access to the network despite the breached password. Following the incident, Medibank’s CEO said that multifactor authentication was a feature of its network but he did not directly address the issue of whether multi-factor authentication was enabled in this instance.

Importantly, it appears that neither of these incidents occurred through the “typical” method of a phishing email which is now the entire focus of many businesses’ cyber education program.

Implications for other businesses

Both incidents involve cyber extortion, or the threat to publish customer information if a ransom is not paid.

While in both these cases the organisations declined to pay the ransom, in many other cases, ransoms are paid by organisations either to protect their own business from reputational damage or to prevent harm to their customers and others.

The Australian government, like governments around the world, has always taken a firm position that ransoms should not be paid in order to avoid “feeding” the cyber extortion business model. However, this case shows the vexed ethical and moral issues that come into play. Is it more important, and more ethical, to honour a general public policy objective designed to discourage cyber extortion generally - a business model which in any case is now highly successful and rampant - or is it more important for a business to honour the trust placed in it by its customers who have provided access to their personal data in good faith, especially in cases involving highly sensitive personal information, where a breach could have the potential to lead to ongoing, psychological and/or financial consequences for the people impacted?

Class actions

Lawyers have filed class actions in both cases, pleading negligence, breach of contract for failure to comply with privacy policies and breaches of the Australian Consumer Law.

While Australian law does not presently recognise a tort of breach of privacy, lawyers have foreshadowed claims for breach of privacy that could go all the way to the High Court.

What findings will a Court make about the companies’ duty of care to their customers, and whether there was a breach of contract or breach of privacy policies?

While an adverse incident does not necessarily result in a finding of negligence, the absence of accepted protective measures such as multi-factor authentication on a VPN leave the insurer exposed.

You don’t need to be a target to be a victim

The incident also clearly shows yet again that you do not need to be a target to be a victim of cybercrime.

There will be many Australians suffering psychological and emotional distress at these events which, on the face of it, did not involve sophisticated attacks at all but potentially basic failings in cyber security processes by both organisations.

Commentators have already predicted that both cases will be taught in business schools as case studies on how not to manage a cyber event.

Cyber security minister Clare O'Neill has said that Australian businesses lag the rest of the world in cyber preparedness. These incidents show that a transformation in Australian businesses’ approach to cyber security is now required. This is not a task that can simply be delegated to an IT department or outsourced, instead it requires a holistic, whole of business approach encompassing not only technology, but people, processes (including the deletion of data), incident planning and management. Lastly, it involves considering appropriate risk transfer either through contractual arrangements and/or insurance.

Both Optus and Medibank Private were the victims of a serious crime and should not be regarded as the wrongdoers in this scenario. However, Australian businesses that collect sensitive information from people must do better in protecting that information, whether this is through enabling multi-factor authentication, encrypting data, deleting customer data when it is no longer required and taking a disciplined and thoughtful approach to the type of information collected. In both cases the harm suffered by customers greatly outweigh the costs of measures that both companies could potentially have taken to prevent the incidents occurring, which are now also eclipsed by the costs of dealing with the fallout of the breaches, including legal actions.

Issues of proportionality, prevention, and possible breaches of legal duties under contractual arrangements with customers, each organisation’s duty of care, and obligations under privacy and other relevant industry specific legislation will no doubt be ventilated before the courts in the years to come.