News

|

National Security

Government goes softer on Medibank

October 27, 2022

Nick Bonyhady
The Age
Thursday 27 October 2022

It took Cybersecurity Minister Clare O’Neil five words to cut through the layers of Optus spin. Asked whether she believed the company’s claims it had been hit with a “sophisticated” hack last month, she said: “Well, it wasn’t. So, no.”

The response was a pearler, clear and direct, putting the telco in its place.

Cybersecurity experts sharpened their own knives. Alastair MacGibbon, a former head of the government’s Australian Cyber Security Centre, said Optus’ crisis management was poor and had made things worse.

Medibank – the victim of an even worse hack, which has exposed details as personal as whether someone has battled with drugs – by contrast has got the full Team Australia treatment. O’Neil, a master of strategically deployed invective, has likened the hackers to “dogs”, “scum of the earth”, the lowest of the low.

But she hasn’t said a bad word about Medibank despite the company’s drip-feed of updates, each confirming the hack was worse than believed in the previous update. What started with Medibank saying there was “no evidence” customer data had even been accessed is now, two weeks later, a crisis engulfing all Medibank’s 4 million customers, and perhaps close to that number again in former members.

One might hope Medibank would clarify that figure, but the reality is it doesn’t know the full scale of the breach. That is the crux of the critics’ complaints: rather than Medibank stressing early on what it did not know, it emphasised there was no evidence that the worst case had occurred. It was not a lie, but a little like being told your warehouse locks had been broken and declaring all looked well without checking the pawnshop down the road.

In the beginning, it appears O’Neil had no more idea of the hack’s full extent than the rest of us. Opposition cybersecurity spokesman James Paterson used parliament to get an answer from the government on Wednesday that suggests O’Neil first personally spoke to Medibank on or after October 19, seven days after the hack was first detected, though it had been briefing her office. But even when the full scale became increasingly obvious, with revelations such as the use of a username and password granting “high-level access” to Medibank’s systems, O’Neil did not attack the company.

“Given the sensitivity of data involved, it should have been taken more seriously from the start,” Paterson said in a text. “Once it was clear a compromised credential was involved there was no excuse.”

Asked about the apparent double standard last week, O’Neil said she was “on the side of the Australian people” and focused on stopping more damage from the hackers’ crimes. Beneath the political cliche, there is truth to her line. For one, the government sees Medibank’s communications as better than Optus’. But more importantly, the ferocity of the minister’s criticism of Optus scared business leaders as much as it delighted the public.

It worried people in the security apparatus too, who fretted that firms would be too wary of copping a serve from the government that they would limit co-operation with the country’s cyberspies to stop hacks and track down perpetrators. That would be bad indeed. Cyber ransoms are a “prisoner’s dilemma. It is in each company’s individual interests that they pay to stop the damage but if none did, the hacks would cease. And so O’Neil has adjusted her aim to lambast the unknown online crooks.

MacGibbon, whose credentials make him a trusted talking head in the cybersecurity world, has gone even quieter. That is because Medibank has hired the cybersecurity firm he works for, CyberCX, to aid its response, preventing him from publicly commenting. No doubt Optus wishes it could have done that with O’Neil.

Recent News

All Posts