Medibank Defends Its Security Practices

Medibank faced angry questioning during its annual general meeting yesterday as shareholders sought explanations for the organisation’s response to last month’s cyber attack.

The Australian health insurance giant fell victim to ransomware in October, as a result of which the personal data of 9.7 million current and former customers was compromised.

In most cases, basic personal information – such as their name, date of birth, email address, phone number and gender – was exposed. But for 480,000 victims, health claims made with Medibank were stolen and published online.

Medibank’s chairman, Mike Wilkins, told the meeting in Melbourne that the cyber attack was “unprecedented”, describing it as a “shocking crime”, the size and scale of which had not been seen before.

Although the latter part of his statement might not be true – the unfortunate reality is that data breaches like this are now common – the broader argument is fair. It’s all too easy to criticise the victim of a cyber attack without acknowledging the indiscriminate nature with which cyber criminals operate.

Australia’s Home Affairs Minister Clare O’Neil rushed to Medibank’s defence, praising the organisation for refusing to pay the criminal’s ransom, while calling the group responsible “scumbags” and “disgraceful human beings”.

Medibank CEO David Koczkar told shareholders that the organisation is in the process of contacting customers whose information was compromised. He added that those whose health information had been posted online had been contacted within 48 hours of the information’s publication.

“We believe that is the right decision. Those customers are uniquely vulnerable. And we want to make sure that they hear that as soon as they can from us. As I said before, this is a complicated process,” he said.

But not everybody has been satisfied with Medibank’s response. The organisation’s share price plummeted by almost 19% following the data breach, and despite its claims that it has done the right thing, new details continue to emerge that cast doubt on Medibank’s cyber security practices.

The extent of the damage

From the moment that the data breach came to light, Medibank had an uphill battle to restore its reputation. The attack, which occurred after a cyber criminal exposed the login credentials of a high-level employee, led to two separate leaks on a dark web site operated by the ransomware group REvil.

The first was damaging enough, containing patients’ names, addresses and birthdates. This sort of information is particularly prized by cyber criminals because it is much easier to use fraudulently compared to, say, financial data.

Banks tend to have far more robust processes in place to identify suspicious activity, which means the stolen information will have a much shorter shelf life. Health data, by contrast, enables attackers to operate under the radar, typically to commit health insurance fraud.

In some cases, the information is used – either by the attacker or someone who purchases it – to illegally obtain prescription drugs or medical equipment.

Things got worse for Medibank after a second database was leaked, containing a file named “abortions”. It was followed by another one that contained the personal data of 240 policyholders who made claims related to drug addiction.

From bad to worse

A fourth file was then leaked, labelled “psychos”, which contained hundreds of claims from policyholders who have undergone mental health treatment.

These files present an added risk because there is the individual’s reputational damage to consider on top of the potential for fraud. Victims will be at best embarrassed and at worst stigmatised if their medical condition was made public, and it could result in the victim being targeted by scams.

As the Australian Federal Police warned, the release of this information can be “distressing and embarrassing”, and could expose those affected to blackmail.

“Please do not be embarrassed to contact police […] if a person contacts you online, by phone or by SMS threatening to release your data unless payment is made,” Assistant Commissioner Justine Gough said.

To compound matters, some victims claim that Medibank’s assurances that it has contacted those affected – and its repeated statements on the importance of doing so – are inaccurate.

Speaking to the Guardian, one victim said: “It’s been about a week now and Medibank have still not informed me that my data is in that dump.”

After contacting Medibank to enquire about the situation, the victim – who asked to remain anonymous – was told the organisation would be communicating with those who had health claims data posted first.

“They had ample time to prepare the comms and get them out to anyone that had been exposed, and taking over a week to do so is really poor form – and I don’t buy in to the excuses they have given,” he said.

“I think that’s probably a bad call given all of their earlier posturing about being transparent.”

Robust practices

Despite the growing criticisms of Medibank’s response, the organisation’s board have stood by their response. Mike Wilkins described Medibank’s security processes as “robust”, although he acknowledged that whether this proved to be true was subject to an external investigation currently being carried out by Deloitte.

The result of that investigation is likely many months away, but in the meantime, Medibank can point to two key pieces of evidence. First, it employed multi-factor authentication to protect employee accounts.

With multi-factor authentication, individuals enter a password as normal, but must also provide a second piece of information that confirms that they have legitimate access to the system.

This is typically either ‘something you have’ (such as a code sent to your phone) or ‘something you are’ (such as a fingerprint scan).

By doing this, you mitigate the risk of password compromise. An attacker might have your login details, but they still need additional information to access your account.

The technique isn’t foolproof, as this incident demonstrates. More sophisticated attacks trick victims into handing over their authentication keys in addition to their login credentials, and it appears that this is what happened to the employee in question.

However, it at least demonstrates that Medibank acknowledged the threat of cyber crime and had implemented defences to mitigate the risk.

Neither the organisation’s processes nor the rollout of technology can be blamed. At worst, you can argue that it didn’t do enough to educate employees on the threat of fraud – but human error can never be entirely eradicated, and without any knowledge about the organisation’s staff awareness practices, it’s unfair to place blame.

The most exculpatory evidence is Medibank’s refusal to pay the ransom. For an organisation already under fire for the disruption caused by a malware attack, and knowing the explosive damage that would be caused if its files were leaked, it would be easy to quietly pay the attackers off in the hope of avoiding a major scandal.

However, cyber security experts urge organisations not to pay up. Even if their systems are restored, there is no guarantee that the information wouldn’t end up online anyway. Plus, paying up makes the victim a target for future extortion attempts.

With the damage caused by this breach, you can understand why so many people are willing to criticise Medibank. And, indeed, many mistakes were made. However, it’s important to praise the organisation for facing the consequences of its actions head-on.

Ransomware has become one of the most pervasive threats organisations face, thanks to the ease with which attacks can be carried out and the potential for large financial rewards.

It only takes one organisation to go against expert advice and pay the ransom for the criminals to hit the jackpot. The average ransomware payment is about £30,500, which organisations could easily justify, but every time that happens, it supports the crooks’ efforts and could be used to fund future attacks.