November 8, 2022
THE Medibank hack should be a “wake-up call” for corporate Australia, Opposition cyber security spokesman James Paterson has said.
Australia’s largest health insurer said on Monday it would not pay any ransom demand for the data breach revealed last month, which compromised the personal information of almost 10 million people.
The hacker had threatened to sell the stolen data and to release health records of 1000high-profile customers unless Medibank paid a ransom.
Senator Paterson said it was up to businesses to make the “difficult” decision of whether to pay ransom demands.“
It is often the case that companies do pay ransoms and it is often the case that it is not successful when they do in achieving their objectives,” he said on Monday.
“And that’s why the consistent position of the Australian government and our cybersecurity agencies over many years is not to pay.
”Senator Paterson said companies that adopted the policy of not paying ransoms had an added responsibility to protect their customers’ data “in the first place”.
Medibank has commissioned an external review into the incident after revealing almost 500,000 health claims had been accessed, as well as the names, dates of birth, addresses and phone numbers of 9.7 million current and former customers.
Opposition home affairs spokeswoman Karen Andrews has attempted to revive a Coalition-era Bill that would introduce new offences for hackers using ransomware.
The legislation would impose 10-year maximum jail sentences for cyber extortion and 25-year maximum prison sentences for cyber attacks on critical infrastructure. The Bill has not been revived by Labor after it won the federal election in May.
Ms Andrews told parliament on Monday the laws would deter criminals and form an “important part of safeguarding Australia” against cyber attacks.
She said the response to the Medibank hack and recent Optus data breach had been “lacklustre”.
“The silence from the government has been deafening on these breaches,” she said. Home Affairs and Cyber Security Minister Clare O’Neil has been contacted for comment.
Labor last month introduced legislation to parliament that would increase fines for companies that failed to protect Australians’ personal data from about $2m to at least$50m.Attorney-General Mark Dreyfus had flagged he would seek to rush through changes to the Privacy Act given the massive scale of the recent data breaches at Optus and Medibank. Under the amendments, companies involved in serious or repeated privacy breaches would face penalties of hundreds of millions of dollars.
Businesses would be fined whichever was higher: $50m,three times the cost of damage caused by the misuse of information, or 30 per cent of a company’s adjusted turnover in the relevant period.
A review of the Privacy Act by the Attorney-General’s Department is expected to be completed by the end of the year and result in recommendations for further reforms to protect personal information.
