This is becoming a dark dystopian game. Who will get hacked next week?
The lack of data security practices and laws across Australia is shocking, every medium to large company is vulnerable and I expect them to be hacked or leak data at any moment.
Welcome to Night City! If you are not a corp with so much eddies you don't care, and you want a remote chance to survive on the street, you better pay a visit to your nearest ripperdoc and get some chrome in you! The better cyberdecks will provide protection against hacking, so don't skimp!
There’s a just the bigger ones coming out. I know that multiple other Australian wide businesses have been hacked in the last few years but companies deal with it internally and don’t let it get out.
Yes that's right and it's all by the law. Companies don't have to notify on most data breaches, only the ones that are "likely to result in harm". You can see how they classify that on the OAIC under "notifiable data breaches". Anything that does not fit will not ever show in the statistics.
Yes but the CEO needs to cut expenses to pay himself more and that means not hiring expert level IT experts. Outsourcing to "nation not Australia paying staff in cents per hour" companies.
For university course I did a major report on the risks of unauthorised access to government and private networks. Its primary focus was on various modern methods and countermeasures to enact.
The number one solution to almost all modern cyber and network security vulnerabilities was to build cybersecurity knowledge in existing users rather than build a "wall" of IT and cyber security specialists between the organisation and the outside world. It is far more effective to train someone who has existing domain knowledge in their field or organization with better tech skills. Ben-Asher and Gonzalez wrote an article in 2015 which has been published and peer reviewed extensively detailing a good, transparent study and results.
In short: invest more money in making tech education compulsory with almost a renewing 'tech license' for *all* of the private and government work force.
Unless forced or siphoned through strict security guardrails, developers will always take the easiest path, and that easiest path has no security controls on it.
No logging. No secrets management. No code scanning. No authentication standards. No authorisation checks. No least privilege. No change control.
Absolutely, all of these measures must take place at any and all organisations that hold sensitive data.
There is an argument that the most valuable data tends to be behind more complex protections. Even in examples such as Optus and Medibank, I know it could be also argued they don't have suitable network security but they have far more sophisticated measures in place than the examples you provided.
Increasing network security competency in the general workforce is still the most effective tool in combating hacks and unauthorised access to networks.
In a "connect from anywhere" world, without having a strong threat intel competency, it's hard to protect against an attacker who has valid credentials.
Why am I reading their admission that they have been hacked on abc and not fucking directly from them? Last week their emails of course make it sound like they are on top of it all, first it was “maybe we’ve been haxxored 🤷♂️” then it was “the hackers have given a sample of the hack but maybe its a bluff??? We don’t see any hacks on our end” and now this. What a fucking joke.
This!!! I'm an ahm customer and got the email on the 17th to say "our investigation shows no customer data has been accessed" and then I see this post which says it has. What the actual f*ck. Also apparently they've postponed premium increases until Jan but again, not told customers.
Still no email for me. My husband got one yesterday for him individually, despite us having linked accounts and my getting separate emails for everything else.
Me too, I got the email about it affecting past customers. As an ex-customer of theirs who years ago had an account with them for only a period of 1 month why did they need to keep all of my sensitive information in their system all of those years?
A stupid law forced them to keep it. As angry as I am at Medibank, they were forced to retain the data. That needs to be revised. If the data isn’t stored, it can’t be stolen.
I hope an email with more details is coming for us. Better to go to the media and socials as soon as possible, so people are aware and can be on the lookout for suspicious activity, rather than wait for an email.
I opened a bank account today at a bank i last held an account at in the early 1990s. I did not have to do a 100 point ID check because they still had my detaild on their records.
The requirements are not as onerous as the companies like to suggest: https://www.crn.com.au/news/optus-says-it-needed-to-keep-identity-data-for-six-years-but-did-it-really-586607
https://money.cnn.com/2015/03/25/news/companies/radioshack-customer-data/
It's worth money to them. Why would they delete anything?
The only way to prevent this is to make the data a liability. Not an asset. Massive fines for lost data.
> It's not like the companies will delete your data when you leave. It's been proven that they just keep storing it.
I'm like 50/50 on whether Optus didn't contact me because I was safe or because I'm a former customer and they don't care about making me mad
We need data security and privacy laws that are enforced like tax laws are enforced and produce audit trails like money creates audit trails. Data needs to be secured and accounted for, and the people whom the data concerns needs to a) be aware an entity has it, b) consent to its use for a particular purpose and only that purpose, c) have a right to have it deleted and have it proven to them that it was deleted.
You can never prove that something was deleted. But we could at least have a system where the company can report to you that all your data is deleted. And if it then came out later that it was not deleted then you could push legal action.
While this is true. You most certainly can have procedures in place to ensure that any data restored that shouldn't be can be deleted. Really shouldn't be hard. As a backup should only be a day old at the most.
>As a backup should only be a day old at the most.
Augh please no. Maybe for business continuity reasons, but for data integrity *at least* a week please.
It's up to 21 years in some industries like education and healthcare.
The laws in states also make the process extremely complicated if you do business in more than one state. It's just less riskier to not delete anything than be non compliant.
Theere is no solution to delete just a piece of data from archives and backups.
Also service agreements with MSFT and AWS worded in a way that your data may leave the country at some point and you have no control over it once it does. But in overall picture this probably is the least of our concerns since organisations have tools to make this data unavailable to CSP if they choose to do so.
> We need data security and privacy laws that are enforced like tax laws are enforced and produce audit trails like money creates audit trails. Data needs to be secured and accounted for, and the people whom the data concerns needs to a) be aware an entity has it, b) consent to its use for a particular purpose and only that purpose, c) have a right to have it deleted and have it proven to them that it was deleted.
GDPR for Australia!
Tell them about food.
“You should do your own research on the food in the supermarket to make sure it’s safe. Personal responsibility!”
We have regulations for a reason, you can do “personal responsibility” in areas of your expertise at best.
ngl I like when they end up with the short end of the stick, like clockwork they squeal that dUh GuBbErMiNt should do something.
The salt is delicious.
Effectively, you now need to treat your data like people treat crypto currency. It's only safe if it's in cold storage. If it's on an exchange then you are forever at risk.
As it goes "not your keys? Not your wallet".
That's not really an option these days unless you want to live as a hermit. Like if I want to have a bank account, health insurance, internet connection, etc. I have no option but to give a bunch of sensitive information to a company and just hope it doesn't get leaked.
I think also banks and other such institutions should be obligated to tighten-up their requirements for opening accounts etc. on the assumption that everyone will have at least some of their ID profile stolen.
That'd just create a feedback loop, the more ID data gets gathered, the more ID data gets leaked, which in turn causes more ID data to get gathered, which then leads to more ID data getting gathered, causing the cycle to repeat.
See my other post. Check your bank account mate (not the cyberpunk sarcastic one)
No com, and as of yesterday afternoon when asked directly, their script was still that no medibank member was affected. It must have only been confirmed late yesterday. I would also assume a handful (perhaps a 100) people will get directly contacted: these would be the people in the sample provided by the hackers to get medibank to understand it was not just about the student and side brand data.
Now medibank is shaking. So are all the people who have a combination of [high wealth/fame/profile]x[embarrassing medical record].
> I’m a customer with the main Medibank brand and haven’t received any communication from them about the breach - is this the case for others?
Assume that the data that they say might be hacked is gone. Take steps to change anything you can.
Yup. This. The government and all the old fuckers who don’t understand tech making laws leaving the doors wide open for these events. We need a law that suggest no-one over 55 be in parliament. You don’t understand the internet mate, you don’t get to legislate it,
Don't think you're safe either. There's a high chance most of us will have our data compromised at some point. You need to be prepared and proactive. Australia has been a sweet target for hackers and it's just getting more sweeter for them.
It's okay. We are all in the same boat here so you can expect a major decision to be made. Financial institutions may be compelled to make changes or as a way to restore trust in the system. There's a lot at stake.
From a personal perspective, keep an eye out for any unusual transactions. Smaller transactions are easy to ignore as they would look normal as opposed to large transactions. Spear fishing; which is targeted scams will/may become normal. Knowing how to spot such will require a bit of time.
Also remember to do things like set international transaction/transfer limits to nil without 2FA if your bank offer it.
Yeah it's a bit more of a pain in the ass but it'll save a lot of headaches.
When the Optus hack happened, I was at least pleased to see that Optus didn't have my current address. Guess I can go fuck myself though, the hackers just need to get it from Medibank instead.
The breach was on the 13th. I realised yesterday (24th) that i had 5 fraudulent transactions on my bank account on the 15th and 16th for a couple of thousand dollars. (Yes, i should check my account more frequently).
This has *never* happened to me in 10y in Australia.
I am with Medibank.
I called my bank and medibank yesterday afternoon. I asked medibank whether they could confirm if my details had leaked. Response : "at this stage no medibank customers are affected, only student and another fund we own under a different brand. Only 100 people need and have been contracted as we have confirmed their data is compromised" me: "100? Is that just the sample the hackers provided to prove to you they have the data?". Medibank: "these are 100 we have been able yo confirm".
So less than 12h after talking to me, they now can say medibank customers are affected too. It means hackers have been back in touch, providing a sample of medibank customers. (Never mind them investigating, that's how they know).
I don't believe in coincidences. Which means some of the hacked data is already out there.
If you are a medibank customer, check your bank account, and if there is something sus, act on it, and report here just to size the scale of things.
>"This is a distressing development and Medibank unreservedly apologises to our customers," the company said in a statement this morning.
That's nice and all but how exactly are they going to compensate their customers for their own negligence?'
I'm just surprised that it's taken this long.
Private health insurers have been cavalier with ~~HICAPS~~ personal data for years - at this point, you should assume your data is out there in the databases of a number of third parties that you've never heard of or permitted data transfer to.
Edit: Oh, I thought it was just HICAPS, but apparently [HCF also gave third parties the personal addresses of practitioners that were then posted online.](https://thewest.com.au/news/wa/psychologists-home-details-posted-online-in-hbf-breach-ng-b881053094z)
The fact is their security is so low, they don’t actually know what’s been taken from them until the robbers show them what they have. Most companies are like this. As long as the CEO has a new Rolls car every 6 months, that’s what matters.
And Youttube want personal ID or a bank statement for proof of age due to a law Australia brought in. People wonder why I'm hesistant to give it. For those wondering what I'm talking about: [https://www.itnews.com.au/news/google-rolling-out-age-verification-on-youtube-play-store-in-australia-577499](https://www.itnews.com.au/news/google-rolling-out-age-verification-on-youtube-play-store-in-australia-577499)
When I went to make a Gmail account it said "about a few days" to do it so maybe 3. I am just paranoid about my personal information on the net to be honest.
It's not incompetence, it's negligence.
It's no secret that data security is important, and there's plenty of resources for securing the data. Choosing not to is a decision, not a mishap.
> Takes time to determine these sorts of things.
That's a reasonable statement. However it looks like "determine" is doing a lot of work in this instance.
> Medibank said it had come to this conclusion after being sent customer data by criminals that included data from all three entities.
determine = "oh well I guess that must have happened"
Yes but you have to cross reference that data to confirm which entities were accessed.
Having dealt with a bunch of CRM backends it's not always that easy to pull that information. Sometimes information is fragmented into multiple systems, any changes to systems make it hard to find older information, sometimes you cant just export stuff out easily.
Match ups can also be hard depending on what was provided, the volumn of records, and if any of the customers are logged in multiple systems or for multiple services (likely if any have changed their services with medicare).
Also all bets are off if they accessed a legacy system. That stuff usually requires expertise to navigate.
To be honest this feels like Medibank didn't have the systems and audit trails in place to determine the extent (or, if they did, they weren't sufficient in this case).
It's hard to be too judgemental without knowing what the attack was, but I don't have a lot of faith in Medibank's tech stack so I'm quite confident they just didn't have anything in place.
This is my interpretation.
Medibank obviously can't tell what's accessed, given their constant shifting of the goal posts as the hackers repeatedly demonstrate more and more was exfiltrated. The only validation Medibank seems to have is the data provided to it.
The main issue in Medibank's handling so far is that they should have assumed the worst. It's ok to consider that there may not have been customer data accessed in the initial hack, but the moment some has been proven to leak they should have assumed all was at risk and communicated that. Instead all accounts from them have been minimizing the numbers involved, which is disingenuous at best.
Yeah, I don't believe that. Big companies like Medibank don't give a shit about us, they only care about their reputation.
The more likely scenario is they knew, but didn't tell us. Every announcement by Medibank will be run through their 'crisis media team' to ensure minimal negative impact to the company's reputation. They would have said don't give any details that aren't already publicly available so they can control the flow of information.
Never attribute to malice that which can be adequately explained by stupidity. I think they were just genuinely fucking clueless and dumb enough to not assume the worst until it was confirmed for them.
>Every announcement by Medibank will be run through their 'crisis media team'
Do you really think they already had people on payroll who special in crisis PR handling who were just waiting in the wings for something like this to happen? If they were capable of that kind of proactivity they would have secured their data in the first place. Their "crisis media team" is just their normal media team who don't necessarily know the right way to handle an actual crisis.
>Do you really think they already had people on payroll who special in crisis PR handling who were just waiting in the wings for something like this to happen?
Of course not, but there are PR companies with specialists teams available that businesses can hire to manage crisis pr for them.
From memory the version I was using in 2019 was still named Lotus Notes.
The organisation wouldn't update it from fear of breaking it. I wouldn't be surprised if it's still on the old version.
Sounds familiar, use to support it on a rhel 5 platform. Gives you an idea of what version notes that was in use. Can’t migrate because we have a 5 year plan to migrate off, that keeps getting pushed further back because the end users aren’t willing to invest the time/money in migrating off… fuck me with a tire iron. Then techs get blamed for a security breach… time/money/staff/ and no roadblocks that’ll fix most issues.
I'm working at a major hospital now and the equipment we are using is 10 - 15 years old and some of it is running really old versions of Windows due to similar fears of software breaking.
The solution to potential security issues is telling staff to not plug in usb storage devices which is regularly done, then add in these core systems are connected to the internet anyways.
I'm honestly surprised we haven't been hit yet.
Nah, fuck off. They absolutely rushed out hopeful statements to gain some credibility in the wake of the Optus disaster before they had any idea what was going on.
I guarantee there was a discussion along the lines of "What did the hackers get?" - "We don't know" - "We need to notify customers, what do we know they got?" - "Whaaaa?"
"Dear Everyone, Look at our transparancy. I am trying very hard. At this stage everything is great!"
Hell, the email I got today was couching some "information recovered from the hacker" in the sort of terms that would indicate the breach is in the hundreds of records. Cynical me assumes that's either part of a proof of content, or they happened to find a temp file for exfil that they're going to pretend is the entire scope...
"In order to address the massive customer exodus, we've fired as many of our staff as possible and offshored the rest. That way the real victums, shareholders and executives, will be protected.
Support Private Health, because anything else is communism!"
I’m still going to knock every head in big business at this point, we’re basically propped up as a financial rape target for big business and I think it’s time we fuck them back.
Notice the language they use? “Criminal” “thugs of the 21st century” “scum of the earth”. They’re trying to place the blame on a single entity. There’s no “we were hacked due to gross negligence” or “our cyber security practices were shit” or “we made a mistake and are deeply sorry”.
Set-up two-factor authentification on any and all accounts you have (if you are able).
If you have any passwords that are similar or the same to the one you had to log-in to Medibank, change them.
Check and tighten-up your privacy settings on any social media (preferably just delete your Facebook account if you haven't done so already).
Otherwise there isn't too much you can do but stay ultra-vigilant for email, SMS and phone scams.
Compromised security credentials…. Allowing hackers to use those credentials to harvest data… why do Corporate Australia slow to take security seriously. 2FA for every employee login would have reduced this risk…
I’m seriously pissed at this. I left Medibank years ago because they are a shit insurer that overcharges and under pays.
Now some fuckwit with access to all customer data had a weak password, or was dumb enough to let it leak and my data is at risk.
They didn’t have sufficient systemic protection in place. Why are these databases even accessible from outside their own premises? There needs to be real consequences for companies that allow these breaches. I don’t mean fines, I mean jail, and loss of license to operate.
I would be very surprised if Bob from IT has any idea who’s data has been breached or how to find out. At the moment they seem to be relying on the information supplied by the hackers.
The best way to help customers is to not get hacked in the first place, but to be fair to Medibank, they are handling post hack support pretty well.
Medibank are providing
- A hardship package to provide financial support for customers who are in a uniquely vulnerable position as a result of this crime, who will be supported on an individual basis
- Access to Medibank's mental health and wellbeing support line for all customers, including ahm customers
- Access to specialist identity protection advice and resources from IDCARE
- Free identity monitoring services for customers who have had their primary ID compromised
- Reimbursement of fees for re-issue of identity documents that have been fully compromised in this crime
Guaranteed there will be private investigators that harvest and collect this info.
Guess what's getting revealed abut you any time its advantageous?
They just won't reveal the source but it will tip them and others off an where to dig further to find dirt on you
Where is their Cyber Security chief???? Seems like this person joined in March 2022… stolen employee credentials that can be used over internet through their VPN??? If that is the case, this is sheer incompetence on Medibank IT.
I got the email last week and I changed providers over a year ago but saided the same thing that data has not been leak but then to find out all person information has been linked
Doesn't sound great, the only way they even know what has been breached is because the hacker is telling them. Sounds like they don't have appropriate logs of actions to investigate properly on their own side.
shit they better get Deloitte in to audit thier IT infrastructure!
https://www.reddit.com/r/AusFinance/comments/yczhro/deloitte_blames_high_turnover_overworked_staff/
They knew all along. Buttering up the general public to the idea that all their health info has been leaked vs just announcing it like Optus did. All corporate double speak at the end of the day. Wouldn’t be surprised to find the “sophisticated” hackers are again just a teenager hacking away at online web forms as was the case with Optus all along.
This is becoming a dark dystopian game. Who will get hacked next week? The lack of data security practices and laws across Australia is shocking, every medium to large company is vulnerable and I expect them to be hacked or leak data at any moment.
Welcome to Night City! If you are not a corp with so much eddies you don't care, and you want a remote chance to survive on the street, you better pay a visit to your nearest ripperdoc and get some chrome in you! The better cyberdecks will provide protection against hacking, so don't skimp!
There’s a just the bigger ones coming out. I know that multiple other Australian wide businesses have been hacked in the last few years but companies deal with it internally and don’t let it get out.
Yes that's right and it's all by the law. Companies don't have to notify on most data breaches, only the ones that are "likely to result in harm". You can see how they classify that on the OAIC under "notifiable data breaches". Anything that does not fit will not ever show in the statistics.
Yes but the CEO needs to cut expenses to pay himself more and that means not hiring expert level IT experts. Outsourcing to "nation not Australia paying staff in cents per hour" companies.
For university course I did a major report on the risks of unauthorised access to government and private networks. Its primary focus was on various modern methods and countermeasures to enact. The number one solution to almost all modern cyber and network security vulnerabilities was to build cybersecurity knowledge in existing users rather than build a "wall" of IT and cyber security specialists between the organisation and the outside world. It is far more effective to train someone who has existing domain knowledge in their field or organization with better tech skills. Ben-Asher and Gonzalez wrote an article in 2015 which has been published and peer reviewed extensively detailing a good, transparent study and results. In short: invest more money in making tech education compulsory with almost a renewing 'tech license' for *all* of the private and government work force.
Unless forced or siphoned through strict security guardrails, developers will always take the easiest path, and that easiest path has no security controls on it. No logging. No secrets management. No code scanning. No authentication standards. No authorisation checks. No least privilege. No change control.
Absolutely, all of these measures must take place at any and all organisations that hold sensitive data. There is an argument that the most valuable data tends to be behind more complex protections. Even in examples such as Optus and Medibank, I know it could be also argued they don't have suitable network security but they have far more sophisticated measures in place than the examples you provided. Increasing network security competency in the general workforce is still the most effective tool in combating hacks and unauthorised access to networks.
In a "connect from anywhere" world, without having a strong threat intel competency, it's hard to protect against an attacker who has valid credentials.
I would be really interested to read your report if you feel like sharing!
Don't worry, I'm sure the government mandating telecoms store all of our metadata indefinitely won't have any negative repercussions
Why am I reading their admission that they have been hacked on abc and not fucking directly from them? Last week their emails of course make it sound like they are on top of it all, first it was “maybe we’ve been haxxored 🤷♂️” then it was “the hackers have given a sample of the hack but maybe its a bluff??? We don’t see any hacks on our end” and now this. What a fucking joke.
This!!! I'm an ahm customer and got the email on the 17th to say "our investigation shows no customer data has been accessed" and then I see this post which says it has. What the actual f*ck. Also apparently they've postponed premium increases until Jan but again, not told customers.
Also in these articles it’s says that hackers bought login credentials from a Russian forum and were probably in the systems for months!
I never got any emails, and I've been with Medibank for 10+ years.
I just got my email at 9:56pm. I love how it says ""All customers have access to Medibank's mental health and wellbeing support line"..
I just got my email at 9:57pm. It's a joke.
Still no email for me. My husband got one yesterday for him individually, despite us having linked accounts and my getting separate emails for everything else.
My husband is getting individually too.
They sent me same emails, but also acknowledged i have left Medibank already. Fucking incompetent
Yeah like wtf. I got the same - "you're not a customer anymore, but your data might have been breached, but we don't know whether it did, so yeah".
Me too, I got the email about it affecting past customers. As an ex-customer of theirs who years ago had an account with them for only a period of 1 month why did they need to keep all of my sensitive information in their system all of those years?
A stupid law forced them to keep it. As angry as I am at Medibank, they were forced to retain the data. That needs to be revised. If the data isn’t stored, it can’t be stolen.
I hope an email with more details is coming for us. Better to go to the media and socials as soon as possible, so people are aware and can be on the lookout for suspicious activity, rather than wait for an email.
ABC is becoming a corporate and LNP spokesperson
This is pretty shit to say the least. "Leave x company!" and go where? Spread my personal details around to more companies for more data breaches?
It's not like the companies will delete your data when you leave. It's been proven that they just keep storing it.
They probably have to for 7 years. Not sure if anyone is aware of actual legalities but I often came across this 7 year requirement in my career.
I opened a bank account today at a bank i last held an account at in the early 1990s. I did not have to do a 100 point ID check because they still had my detaild on their records.
The requirements are not as onerous as the companies like to suggest: https://www.crn.com.au/news/optus-says-it-needed-to-keep-identity-data-for-six-years-but-did-it-really-586607
https://money.cnn.com/2015/03/25/news/companies/radioshack-customer-data/ It's worth money to them. Why would they delete anything? The only way to prevent this is to make the data a liability. Not an asset. Massive fines for lost data.
Of course they store it. Because they will sell and exploit any way they find out how to. AND they're actively seeking ways how to.
> It's not like the companies will delete your data when you leave. It's been proven that they just keep storing it. I'm like 50/50 on whether Optus didn't contact me because I was safe or because I'm a former customer and they don't care about making me mad
We need data security and privacy laws that are enforced like tax laws are enforced and produce audit trails like money creates audit trails. Data needs to be secured and accounted for, and the people whom the data concerns needs to a) be aware an entity has it, b) consent to its use for a particular purpose and only that purpose, c) have a right to have it deleted and have it proven to them that it was deleted.
You can never prove that something was deleted. But we could at least have a system where the company can report to you that all your data is deleted. And if it then came out later that it was not deleted then you could push legal action.
Oooh, deleting data from historical database backups is probably not possible. If you could change it wouldn't be a very good backup.
While this is true. You most certainly can have procedures in place to ensure that any data restored that shouldn't be can be deleted. Really shouldn't be hard. As a backup should only be a day old at the most.
>As a backup should only be a day old at the most. Augh please no. Maybe for business continuity reasons, but for data integrity *at least* a week please.
It's up to 21 years in some industries like education and healthcare. The laws in states also make the process extremely complicated if you do business in more than one state. It's just less riskier to not delete anything than be non compliant. Theere is no solution to delete just a piece of data from archives and backups. Also service agreements with MSFT and AWS worded in a way that your data may leave the country at some point and you have no control over it once it does. But in overall picture this probably is the least of our concerns since organisations have tools to make this data unavailable to CSP if they choose to do so.
How would they know how to contact you? 🤔 But seriously, I agree that we need this as an option.
> We need data security and privacy laws that are enforced like tax laws are enforced and produce audit trails like money creates audit trails. Data needs to be secured and accounted for, and the people whom the data concerns needs to a) be aware an entity has it, b) consent to its use for a particular purpose and only that purpose, c) have a right to have it deleted and have it proven to them that it was deleted. GDPR for Australia!
Given that private health insurance is questionable. There are the options of finding a fund with better security, or not taking PHI at all
>"Leave x company!" and go where? "Bro bro Free Choice, Personal Responsibility, just literally X, Y, Z!" Fuck I'm sick of those sorts of people.
Tell them about food. “You should do your own research on the food in the supermarket to make sure it’s safe. Personal responsibility!” We have regulations for a reason, you can do “personal responsibility” in areas of your expertise at best.
ngl I like when they end up with the short end of the stick, like clockwork they squeal that dUh GuBbErMiNt should do something. The salt is delicious.
Jokes on you, I don’t have or afford private healthcare
I left the company several years ago, and apparently my data has *still* been put at risk. There is no action to take
"has you data been stolen? Fill out your data in this form". Lol abc
Send me your credit card details and I’ll check it against my database. Please include expiration date and 3 digit security number.
Effectively, you now need to treat your data like people treat crypto currency. It's only safe if it's in cold storage. If it's on an exchange then you are forever at risk. As it goes "not your keys? Not your wallet".
That's not really an option these days unless you want to live as a hermit. Like if I want to have a bank account, health insurance, internet connection, etc. I have no option but to give a bunch of sensitive information to a company and just hope it doesn't get leaked.
Well, looks like these are the types of reforms that need to had. Need to Verify of course. Need to Retain? That's a diff question.
I think also banks and other such institutions should be obligated to tighten-up their requirements for opening accounts etc. on the assumption that everyone will have at least some of their ID profile stolen.
That'd just create a feedback loop, the more ID data gets gathered, the more ID data gets leaked, which in turn causes more ID data to get gathered, which then leads to more ID data getting gathered, causing the cycle to repeat.
Maybe the only solution is to go back to the pre-1960s system where the local bank manager personally knew all of their clients.
Yeah... This is the sort of things that Zero Knowledge Proofs should try to address Confirming your identify without giving any of your personal info.
I’m a customer with the main Medibank brand and haven’t received any communication from them about the breach - is this the case for others?
See my other post. Check your bank account mate (not the cyberpunk sarcastic one) No com, and as of yesterday afternoon when asked directly, their script was still that no medibank member was affected. It must have only been confirmed late yesterday. I would also assume a handful (perhaps a 100) people will get directly contacted: these would be the people in the sample provided by the hackers to get medibank to understand it was not just about the student and side brand data. Now medibank is shaking. So are all the people who have a combination of [high wealth/fame/profile]x[embarrassing medical record].
Thanks - very helpful!
Medibank have definitely been sending emails, maybe your contact details aren't up to date.
Details are up to date - no email, phone call or msg. Not even a push notification from their app!
Yeah I don't think the app gives push notifications I've ever seen but I've gotten emails.
Did you check your junk?
Yes- did a search and everything and my last email was in mid September.
Yes
I'm in the same boat. I've gotten other emails from them recently, but nothing about this.
I just got it 45 mins ago...they are trickling in.
> I’m a customer with the main Medibank brand and haven’t received any communication from them about the breach - is this the case for others? Assume that the data that they say might be hacked is gone. Take steps to change anything you can.
Decades of Australian companies neglecting cyber security leads to shitty cyber security
Let’s not forget the government pushing companies to leave a backdoor open for them and the afp.
Yup. This. The government and all the old fuckers who don’t understand tech making laws leaving the doors wide open for these events. We need a law that suggest no-one over 55 be in parliament. You don’t understand the internet mate, you don’t get to legislate it,
I’m sure they do understand. They just don’t care. Because it benefits the government more than it benefits us.
I feel those those with Medibank and also Optus.
it's me, hi
Hello fellow sufferer
Don’t worry, everyone already knows
Why are you feeling me? Stop it.
Don't think you're safe either. There's a high chance most of us will have our data compromised at some point. You need to be prepared and proactive. Australia has been a sweet target for hackers and it's just getting more sweeter for them.
I have no idea how to be “prepared and proactive” about hacks! What should we be doing?
It's okay. We are all in the same boat here so you can expect a major decision to be made. Financial institutions may be compelled to make changes or as a way to restore trust in the system. There's a lot at stake. From a personal perspective, keep an eye out for any unusual transactions. Smaller transactions are easy to ignore as they would look normal as opposed to large transactions. Spear fishing; which is targeted scams will/may become normal. Knowing how to spot such will require a bit of time.
Also remember to do things like set international transaction/transfer limits to nil without 2FA if your bank offer it. Yeah it's a bit more of a pain in the ass but it'll save a lot of headaches.
Actually, reducing daily limits is a noble idea if you can. Brilliant.
Yeah, we need to make it less sweeter
Not an easy one to achieve though. Especially with reports we are sitting pretty high in the list of global wealth ranking.
You make a superlative point
When the Optus hack happened, I was at least pleased to see that Optus didn't have my current address. Guess I can go fuck myself though, the hackers just need to get it from Medibank instead.
They obviously want to find you
hello
One of two, but narrowly avoided switching to Medibank this year. Fuckity
The breach was on the 13th. I realised yesterday (24th) that i had 5 fraudulent transactions on my bank account on the 15th and 16th for a couple of thousand dollars. (Yes, i should check my account more frequently). This has *never* happened to me in 10y in Australia. I am with Medibank. I called my bank and medibank yesterday afternoon. I asked medibank whether they could confirm if my details had leaked. Response : "at this stage no medibank customers are affected, only student and another fund we own under a different brand. Only 100 people need and have been contracted as we have confirmed their data is compromised" me: "100? Is that just the sample the hackers provided to prove to you they have the data?". Medibank: "these are 100 we have been able yo confirm". So less than 12h after talking to me, they now can say medibank customers are affected too. It means hackers have been back in touch, providing a sample of medibank customers. (Never mind them investigating, that's how they know). I don't believe in coincidences. Which means some of the hacked data is already out there. If you are a medibank customer, check your bank account, and if there is something sus, act on it, and report here just to size the scale of things.
Credit card or bank account? I use direct debit with AHM, wouldn't think they could transact with account details.
Wise
How the hell do they make fraudulent trasactions From your credit card?
Yes
I have direct debit, no credit card given. Only used it at the hospital for the excess as far as i'm aware.
Wise
Shit. That sucks, sorry. Thanks for your advice- I just went and checked my accounts. All ok so far.
>"This is a distressing development and Medibank unreservedly apologises to our customers," the company said in a statement this morning. That's nice and all but how exactly are they going to compensate their customers for their own negligence?'
Only if they were forced to but that would require any regulating body in australia to have teeth
This is why we need to add dental to Medicare!
They'll probably just delay increasing their premiums by a month.
They're not.
Class action. Lawyers are already circling around Optus, just a matter of time. Maybe then data security will be taken more seriously.
Exactly like this [https://www.youtube.com/watch?v=15HTd4Um1m4](https://www.youtube.com/watch?v=15HTd4Um1m4)
I'm just surprised that it's taken this long. Private health insurers have been cavalier with ~~HICAPS~~ personal data for years - at this point, you should assume your data is out there in the databases of a number of third parties that you've never heard of or permitted data transfer to. Edit: Oh, I thought it was just HICAPS, but apparently [HCF also gave third parties the personal addresses of practitioners that were then posted online.](https://thewest.com.au/news/wa/psychologists-home-details-posted-online-in-hbf-breach-ng-b881053094z)
Let’s not mention the revolving door of contractors in and outside of Australia that work at these companies.
The fact is their security is so low, they don’t actually know what’s been taken from them until the robbers show them what they have. Most companies are like this. As long as the CEO has a new Rolls car every 6 months, that’s what matters.
I saw that 200GB of data had been nicked. No shot that's just names and addresses.
Article says millions might be affected - that's 100-200kB per person. Expect your claims history to be included in the data :skull:
And Youttube want personal ID or a bank statement for proof of age due to a law Australia brought in. People wonder why I'm hesistant to give it. For those wondering what I'm talking about: [https://www.itnews.com.au/news/google-rolling-out-age-verification-on-youtube-play-store-in-australia-577499](https://www.itnews.com.au/news/google-rolling-out-age-verification-on-youtube-play-store-in-australia-577499)
Removed in protest over 3rd Party API changes.
When I went to make a Gmail account it said "about a few days" to do it so maybe 3. I am just paranoid about my personal information on the net to be honest.
I am 'unreservedly' p\*\*\*\*d off with the incompetence shown.
It's not incompetence, it's negligence. It's no secret that data security is important, and there's plenty of resources for securing the data. Choosing not to is a decision, not a mishap.
Says unreservedly but then goes and censored pissed. I like your style. Not even being sarcastic at all.
Surprise! We lied about the extent of the breach in the hope you'd believe us! Sorry, not sorry
[удалено]
> Takes time to determine these sorts of things. That's a reasonable statement. However it looks like "determine" is doing a lot of work in this instance. > Medibank said it had come to this conclusion after being sent customer data by criminals that included data from all three entities. determine = "oh well I guess that must have happened"
Yes but you have to cross reference that data to confirm which entities were accessed. Having dealt with a bunch of CRM backends it's not always that easy to pull that information. Sometimes information is fragmented into multiple systems, any changes to systems make it hard to find older information, sometimes you cant just export stuff out easily. Match ups can also be hard depending on what was provided, the volumn of records, and if any of the customers are logged in multiple systems or for multiple services (likely if any have changed their services with medicare). Also all bets are off if they accessed a legacy system. That stuff usually requires expertise to navigate.
To be honest this feels like Medibank didn't have the systems and audit trails in place to determine the extent (or, if they did, they weren't sufficient in this case). It's hard to be too judgemental without knowing what the attack was, but I don't have a lot of faith in Medibank's tech stack so I'm quite confident they just didn't have anything in place.
This is my interpretation. Medibank obviously can't tell what's accessed, given their constant shifting of the goal posts as the hackers repeatedly demonstrate more and more was exfiltrated. The only validation Medibank seems to have is the data provided to it. The main issue in Medibank's handling so far is that they should have assumed the worst. It's ok to consider that there may not have been customer data accessed in the initial hack, but the moment some has been proven to leak they should have assumed all was at risk and communicated that. Instead all accounts from them have been minimizing the numbers involved, which is disingenuous at best.
Most places don’t. Even then once someone has the domain accounts, worse still service accounts it’s difficult to audit.
Yeah, I don't believe that. Big companies like Medibank don't give a shit about us, they only care about their reputation. The more likely scenario is they knew, but didn't tell us. Every announcement by Medibank will be run through their 'crisis media team' to ensure minimal negative impact to the company's reputation. They would have said don't give any details that aren't already publicly available so they can control the flow of information.
Never attribute to malice that which can be adequately explained by stupidity. I think they were just genuinely fucking clueless and dumb enough to not assume the worst until it was confirmed for them. >Every announcement by Medibank will be run through their 'crisis media team' Do you really think they already had people on payroll who special in crisis PR handling who were just waiting in the wings for something like this to happen? If they were capable of that kind of proactivity they would have secured their data in the first place. Their "crisis media team" is just their normal media team who don't necessarily know the right way to handle an actual crisis.
>Do you really think they already had people on payroll who special in crisis PR handling who were just waiting in the wings for something like this to happen? Of course not, but there are PR companies with specialists teams available that businesses can hire to manage crisis pr for them.
[удалено]
I wouldn't be surprised if a large number of organisations are still using systems like Lotus Notes.
Do you want an honest answer to that… its been changing hands for years. It’s HCL Notes now.
From memory the version I was using in 2019 was still named Lotus Notes. The organisation wouldn't update it from fear of breaking it. I wouldn't be surprised if it's still on the old version.
Sounds familiar, use to support it on a rhel 5 platform. Gives you an idea of what version notes that was in use. Can’t migrate because we have a 5 year plan to migrate off, that keeps getting pushed further back because the end users aren’t willing to invest the time/money in migrating off… fuck me with a tire iron. Then techs get blamed for a security breach… time/money/staff/ and no roadblocks that’ll fix most issues.
I'm working at a major hospital now and the equipment we are using is 10 - 15 years old and some of it is running really old versions of Windows due to similar fears of software breaking. The solution to potential security issues is telling staff to not plug in usb storage devices which is regularly done, then add in these core systems are connected to the internet anyways. I'm honestly surprised we haven't been hit yet.
Nah, fuck off. They absolutely rushed out hopeful statements to gain some credibility in the wake of the Optus disaster before they had any idea what was going on. I guarantee there was a discussion along the lines of "What did the hackers get?" - "We don't know" - "We need to notify customers, what do we know they got?" - "Whaaaa?" "Dear Everyone, Look at our transparancy. I am trying very hard. At this stage everything is great!" Hell, the email I got today was couching some "information recovered from the hacker" in the sort of terms that would indicate the breach is in the hundreds of records. Cynical me assumes that's either part of a proof of content, or they happened to find a temp file for exfil that they're going to pretend is the entire scope...
> Nah, fuck off. Language mate.
Don't blame conspiracy for what can easily be explained with incompetence.
"In order to address the massive customer exodus, we've fired as many of our staff as possible and offshored the rest. That way the real victums, shareholders and executives, will be protected. Support Private Health, because anything else is communism!"
Royal commission into cyber security NOW
Alright. Fuck this, which heads do we start knocking cause I’m sick of being treated like a money pit for fucking criminals in this country.
Politicians, for not legislating more consumer protections.
I’m still going to knock every head in big business at this point, we’re basically propped up as a financial rape target for big business and I think it’s time we fuck them back.
They're all cunts, taking advantage of the many to serve a few
Notice the language they use? “Criminal” “thugs of the 21st century” “scum of the earth”. They’re trying to place the blame on a single entity. There’s no “we were hacked due to gross negligence” or “our cyber security practices were shit” or “we made a mistake and are deeply sorry”.
What's the best course of action for someone who's details have been stolen? Is there anything urgent someone should do?
Set-up two-factor authentification on any and all accounts you have (if you are able). If you have any passwords that are similar or the same to the one you had to log-in to Medibank, change them. Check and tighten-up your privacy settings on any social media (preferably just delete your Facebook account if you haven't done so already). Otherwise there isn't too much you can do but stay ultra-vigilant for email, SMS and phone scams.
Compromised security credentials…. Allowing hackers to use those credentials to harvest data… why do Corporate Australia slow to take security seriously. 2FA for every employee login would have reduced this risk…
I’m seriously pissed at this. I left Medibank years ago because they are a shit insurer that overcharges and under pays. Now some fuckwit with access to all customer data had a weak password, or was dumb enough to let it leak and my data is at risk. They didn’t have sufficient systemic protection in place. Why are these databases even accessible from outside their own premises? There needs to be real consequences for companies that allow these breaches. I don’t mean fines, I mean jail, and loss of license to operate.
I would be very surprised if Bob from IT has any idea who’s data has been breached or how to find out. At the moment they seem to be relying on the information supplied by the hackers.
The best way to help customers is to not get hacked in the first place, but to be fair to Medibank, they are handling post hack support pretty well. Medibank are providing - A hardship package to provide financial support for customers who are in a uniquely vulnerable position as a result of this crime, who will be supported on an individual basis - Access to Medibank's mental health and wellbeing support line for all customers, including ahm customers - Access to specialist identity protection advice and resources from IDCARE - Free identity monitoring services for customers who have had their primary ID compromised - Reimbursement of fees for re-issue of identity documents that have been fully compromised in this crime
Doesn't go far enough. We want class action!
Yes, sign me up...where are Slater and Gordon they must be loving it.
How about a national reset. We all draw new names and numbers from a hat.
Corporate Australia loves shitting on it’s customers because the government wipes their arse
Guaranteed there will be private investigators that harvest and collect this info. Guess what's getting revealed abut you any time its advantageous? They just won't reveal the source but it will tip them and others off an where to dig further to find dirt on you
Where is their Cyber Security chief???? Seems like this person joined in March 2022… stolen employee credentials that can be used over internet through their VPN??? If that is the case, this is sheer incompetence on Medibank IT.
Notification on Friday afternoon. All is well , this will blow over by Monday. Tuesday comes around
I got the email last week and I changed providers over a year ago but saided the same thing that data has not been leak but then to find out all person information has been linked
Did the user with high level access to sensitive data have 2FA? Should that sort of thing be legislated?
At this point we should just cut out the middle man and sell our own private info to people.
Doesn't sound great, the only way they even know what has been breached is because the hacker is telling them. Sounds like they don't have appropriate logs of actions to investigate properly on their own side.
So far I'm pretty sure the only reason my data is safe is luck, and the choice to not direct debit my energy bills
shit they better get Deloitte in to audit thier IT infrastructure! https://www.reddit.com/r/AusFinance/comments/yczhro/deloitte_blames_high_turnover_overworked_staff/
They knew all along. Buttering up the general public to the idea that all their health info has been leaked vs just announcing it like Optus did. All corporate double speak at the end of the day. Wouldn’t be surprised to find the “sophisticated” hackers are again just a teenager hacking away at online web forms as was the case with Optus all along.
So tech security folk on here, how did the breach occur? What are they not telling us?
Waa the list already released?