Latest data breach report shows privacy risks; Medibank update

Recent data breaches and the findings of the latest ‘Notifiable data breaches’ report stress the need for organisations to have robust information-handling practices and an up-to-date data breach response plan.

The Office of the Australian Information Commissioner (OAIC) was notified of 396 data breaches from January to June 2022, a 14% decrease compared to July to December 2021.

Despite the overall fall in notifications, the data trended upwards in the later part of the period, which has continued, said the OAIC. The report also draws attention to an increase in larger-scale breaches and breaches affecting multiple entities in the reporting period.

There were 24 data breaches reported to affect 5000 or more Australians, four of which were reported to affect 100,000 or more Australians. All but one of these 24 breaches were caused by cybersecurity incidents.

“The number of larger-scale breaches caused by cybersecurity incidents reiterates the importance of entities having measures in place to protect, detect and respond to the range of cyber threats in the environment,” said Australian Information and Privacy Commissioner Angela Falk.

Of the total data breaches, health service providers notified 79 (20%) data breaches and 33% of data breaches involved health information.

Malicious or criminal attack accounted for the majority (54%) of breaches notified by health service providers, followed by human error (43%).

“Recent data breaches have brought attention to the importance of organisations securing the personal information they are entrusted with and the high level of community concern about the protection of their information and whether it needs to be collected and retained in the first place,” Falk said.

The Privacy Act 1988 requires entities to take reasonable steps to conduct a data breach assessment within 30 days of becoming aware that there are grounds to suspect they may have experienced an eligible data breach. Once the entity forms a reasonable belief that there has been an eligible data breach, they must notify the OAIC and affected individuals as soon as practicable, according to the OAIC.

In the reporting period, 71% of entities notified the OAIC within 30 days of becoming aware of an incident, compared to 75% in the previous period.

“A key focus for the OAIC is the time taken by entities to identify, assess and notify us and affected individuals of data breaches,” Falk said.

“As the risk of serious harm to individuals often increases with time, organisations that suspect they have experienced an eligible data breach should treat 30 days as a maximum time limit for an assessment and aim to complete the assessment and notify individuals in a much shorter timeframe.”

Falk welcomed measures in the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, currently before parliament, which give the commissioner stronger information-gathering powers to ensure entities are reporting breaches and notifying individuals when they need to and increase penalties for serious or repeated privacy breaches.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, said the OAIC, increases the maximum penalties for serious or repeated privacy breaches from the current $2.22 million to whichever is the greater of: $50 million; three times the value of any benefit obtained through the misuse of information; or 30% of a company’s adjusted turnover in the relevant period.

Medibank update

In the latest major data breach involving health insurer Medibank Private, customer data including information such as names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for AHM customers (not expiry dates), in some cases passport numbers for international students (not expiry dates), and some health claims data were released on the dark web.

In a statement Medibank CEO David Koczkar said, “I unreservedly apologise to our customers.”

“The continued release of this stolen data on the dark web is disgraceful.

“Unfortunately, we expect the criminal to continue to release stolen customer data each day. The relentless nature of this tactic being used by the criminal is designed to cause distress and harm.

“These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care.

“It’s obvious the criminal is enjoying the notoriety. Our single focus is the health and wellbeing and care of our customers.

“We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program. This includes mental health and wellbeing support, identity protection and financial hardship measures,” Koczkar said.

The company will be contacting customers whose data has been released on the dark web.

“If customers are concerned, they should reach out for support from our cybercrime hotline, our mental health support line, Beyond Blue, Lifeline or their GP.”

What’s reasonable, what’s not?

Associate Professor Michael Duffy, Director of the Corporate Law, Organisation and Litigation Research Group, Monash Business School, said, “As these hacks are becoming more common and formidable, there may be another question into the future of how reasonable it is for businesses to keep asking for sensitive personal data as a condition of doing business. This may or may not apply in the case of Optus and Medibank — and certainly some of these requirements are driven by government regulation.

“Nevertheless, businesses requesting and keeping personal details that aren’t completely essential could become more legally problematic for them, if they are hacked.

“A Medibank class action would raise similar procedural issues to the Optus class action and might seek to cover all those who have suffered loss caused by any breach of law.

“In terms of the liability argument, there may be a question of whether reasonable care was or was not exercised by Medibank, and whether appropriate defensive technology is being used,” Duffy said.

Vigilance and monitoring

The Australian Cyber Security Centre is urging people to:

• Remain vigilant and monitor all your devices and accounts for unusual activity. Report unusual activity to ReportCyber, IDCARE (1800 595 160) and your bank.
• Be alert for scams that make reference to Medibank Private. Do not click on links in suspicious emails or messages that reference Medibank Private. Visit ScamWatch for help.
   

Below is ACSC’s advice on practical ways to boost cybersecurity:

• Update your device and turn on automatic updates to ensure you always have the latest security protection.
• Turn on multi-factor authentication to increase the security of your accounts.
• Set up and perform regular backups to copy and store critical information.
• Implement access controls to limit user access to only what is needed on devices.
• Stay up to date on cybersecurity threats and trends with ACSC alert service.
   

Image credit: iStockphoto.com/weerapatkiatdumrong