November 10, 2022
TOM CONNELL: Well hackers are making good on a threat to release the personal information, some of it very personal, of Medibank Private customers. They say they demanded $10 million in ransom, that ransom was not paid. We've been repeatedly seeking to get the Minister on about this. We've been told a few times, Clare O'Neil would be coming on, including today. It seems to not be possible right now. We'll keep trying and we continue to hope. Instead, we'll be joined by the Shadow Cyber Security Minister James Paterson – not that we're trying to say you're second prize here, but just wanted to alert our viewers of that.
JAMES PATERSON: Could I just say that there is a serious point about this, which is I'm often invited on to do interviews like this, which I'm happy to do. But the Minister has an authoritative voice, has access to the most up to date advice from the intelligence agencies, and Australians do want to hear from the Minister about the mitigations that they might need to take to protect themselves. And while I'm happy to do the best I can to fill in, I am only the Shadow Minister.
CONNELL: Alright, humble as ever, as I said, an invitation still is out there for the Minister to come on the show. So, information being released, it's going to be pretty distressing. I'm not
going to go into the information. It's pretty personal stuff. Could the government have done anything to stop the release once the hack had happened or the company?
PATERSON: That's not clear yet, Tom, and we won't know until at least, I think, once we've got some distance from the event itself, we've had some time to consider and reflect on it. I've called for a genuinely independent arm's length review of the government's response. But that's a question for another day. The question for today is really Medibank customers and how they're being affected. And you're right, it's incredibly distressing and incredibly personal information that the hackers allegedly released today and some of the information they released yesterday was also personal in nature. My heart does go out to Medibank customers and it's really important for them if they are contacted by anyone trying to individually extort them or individually seek a ransom from them, that they immediately report that to the Australian Cyber Security Centre via cyber.gov.au where there's a reporting mechanism and also that they contact Medibank if they have any concerns. There's a hotline that's been set up which they will be aware of.
CONNELL: They can do that. If something's really personal they might go, you know what, I'm just going to pay the ransom. I don't want this out there.
PATERSON: Yeah.
CONNELL: What would you say to someone in that situation?
PATERSON: It's completely understandable why you'd have that response as an individual, but my advice would be that's not a good idea. Firstly, the person who's contacting you might not be the actual hacker. They might not actually have your data. They might just be piggybacking off the top of it...
CONNELL: Yeah, so no guarantee it actually does anything.
PATERSON: And in addition to that, even if it is the hacker and even if they do have your data, these are not honourable people who abide by the arrangements they enter into. There's no guarantee that if you pay, they won't just ask you for more money and continue to extort you until you can't pay any more. We have seen instances of that in the past so I would really encourage people not to pay.
CONNELL: There's a lot of advice out there around what you should do if you're potentially affected, including changing passwords. If someone doesn't do that and say their bank details are hacked and someone steals, you know, thousands of dollars and the bank says, well, you didn't take the proper measures. Would that be fair enough for a bank to say that in that situation? Is there an onus on the customer right now to take the steps they're being advised to do?
PATERSON: I think it would be very unfortunate if individual victims are blamed here. If you are robbed at home and you accidentally left your door unlocked or your window open, the police don't come and say, you know, we're not going to help you because you left the door unlocked. They're going to help you because you're a victim of a crime. This is a crime.
CONNELL: This is more like it happening a second time. We're not locking the door after it happened. I mean, you're told change your password.
PATERSON: I would differentiate between individuals who frankly, it is quite bewildering to comply with all these different obligations and all this different advice. It's complex and most people aren't cyber security experts...
CONNELL: Changing your password is pretty simple.
PATERSON: But companies, I think, do bear a much greater responsibility. They have both moral responsibility and, in many cases, legal responsibilities to protect the data of their customers. And if it's demonstrated they haven't done adequate things, then there should be consequences.
CONNELL: And, at the moment, what? It's a $50 million fine up to for future instances of what's happening here?
PATERSON: So the proposed amendments to the Privacy Act that Mark Dreyfus has introduced, I think passed the House yesterday, and will be coming to the Senate when we reconvene in a couple of weeks’ time, increase those penalties to a minimum of $50 million, but also up to a third of the revenue of a company involved or some calculation of the potential benefit that they've derived from it.
CONNELL: Not to mention the damage they'll have as a business. What about a media company or even an individual on social media that sees the leak and reposts it or post
someone's private information, which, given there might be some celebrities involved, could happen. Do we need a penalty for that?
PATERSON: Yeah, I'd really encourage people not to be involved in distributing this information at all. You are doing the hackers work for them if you assist them to do that. And I saw the Minister say in Question Time yesterday that our Online Safety Commissioner has written to social media companies to warn them about this. I think that is appropriate action. Social media companies and traditional media companies and individuals really should play the team game here and not facilitate this extortion because that's what they'll be doing.
CONNELL: And just finally on ransoms and companies paying them, should it be illegal for them to do so and that might remove the honeypot?
PATERSON: I have seen some people, including Fergus Hanson at the Australian Strategic Policy Institute, strongly advocate this, and their rationale is that it would reduce the attractiveness of Australia as a target if we're able to do that. I respect that argument, I understand that argument. I think we need to carefully consider it. It is true that companies and individuals do often pay and we would have to think about whether or not we want to criminalise victims even though they're doing something which is against Australia government advice.
CONNELL: So, you could set it at a company level rather than an individual level, for example?
PATERSON: Yeah, I think we'd have to carefully think through the implications. I'm not aware of any other jurisdiction that's done that and we'd have to think about what our other allies and friends do as well.
CONNELL: James Paterson, thanks for your time.
PATERSON: Thanks, Tom.
ENDS
