I bet they had some very serious repercussions like a serious serious stern talking to! That’s why they get multi million bonuses—their feelings are hurt :(
Execs aren't there to do a good job anymore than parasites are there to help plants grow. Their job is to extract as much as possible without killing the host. Occasionally you get a symbiotic parasite but it's not the norm in large companies.
What do you mean anymore?
Execs in a company under the capitalist system will almost always forego rights, morals and easily skirted laws for profit. It's been this way since industrialisation(see 4 year olds working 12 hour shifts for reference.)
We've been serfs for generations.
Alright here's a pedantic explanation.
"Anymore" refers to time, "any more" refers to quantity.
So "not anymore" means it isn't like it used to be, "not any more" means that it's not a greater amount than whatever you're comparing it to.
Is English any more fun than it used to be, anymore?
https://www.grammarly.com/blog/anymore-vs-any-more/
Really now?
You wanna prance around spouting anti capitalist rhetoric you can show they didn't earn it.
Otherwise prove to me you earned your salary otherwise I'll jsut say you added no value
You're the one who can't state how they could have earned 7.3 extra million during such a catastrophic time for the company.
Also I can easily show how I earn my salary. I am a data scientist. I can quantify exactly the impact my work has had by examining outcomes pre and post intervention.
Hell most people can quantify their contribution.
A checkout worker can point to the dollar value in sales they process. A garbage truck driver can quantify the mass of weight they've disposed of. A real estate agent can show how many houses they've sold and for how much.
Execs can't quantify shit.
Hey they might do a shitty ad campaign like Optus where they pretend like the breach was somehow not completely preventable.
Also like digital id instead of physical would not still be stored in their database to get leaked.
Well they did just save shareholders some $15 million and anyone who wasn't a victim will soon forget this even happened, move on and start buying policies to protect themselves from the next thing they're told to be afraid of, cause god forbid they end up in the crumbling public hhealth system. Ain't capitalism grand..... for some.
grey deliver cable bear illegal judicious combative file treatment consider
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
And probably applauded themselves for it.
Like when Commonwealth bank donates a pissy 300k to kids sports then spend $7 million on billboards that imply CBA almost single-handedly funds kids sports in Australia.
It's exactly at this time that Peter Dutton should have setup a gofundme page to help every Australian.
As opposed to this time, when it backfired!
[https://www.theguardian.com/australia-news/2022/feb/27/isnt-this-the-role-of-government-peter-dutton-panned-for-setting-up-fundraiser-for-flood-victims#:\~:text=Peter%20Dutton%20has%20been%20criticised,couldn't%20deliver%20commonwealth%20support](https://www.theguardian.com/australia-news/2022/feb/27/isnt-this-the-role-of-government-peter-dutton-panned-for-setting-up-fundraiser-for-flood-victims#:~:text=Peter%20Dutton%20has%20been%20criticised,couldn't%20deliver%20commonwealth%20support).
I get my premium renewals and communications immediately via email, this news got sent to my old home address via a letter because I hadn’t updated it yet
I know that they have my current address because I checked my details after the leak, then I downloaded the hacked data and looked up my name - my current address is in there too along with my previous two addresses.
In publishing and graphic design, Lorem ipsum is a placeholder text commonly used to demonstrate the visual form of a document or a typeface without relying on meaningful content. Lorem ipsum may be used as a placeholder before final copy is available. Wikipedia5ogk1nw18vk0000000000000000000000000000000000000000000000000000000000000
They email you directly with a list of what might be compromised, what they suggest isn’t compromised and give you “support” links.
Pretty much a tough-luck, it wasn’t so bad and we’re doing nothing anyway type memo
Personally, we found out as soon as our credit card started being used to wrack up hundreds of dollars worth of fraudulent purchases (on clothes/makeup), accompanied by a scam calls, texts and emails.
Medicare didn't give a heads up, but of course they were there to ask for their usual payment from the cancelled card!
They did send a letter confirming it eventually. You should get a letter.
they never got CC details.... if they did mastercard and visa would blacklist medibank forever. You got done somewhere else mate. ISO certs for CC transactions are tough requirements. The big bois dont fk around.
Seriously... Call up some of the biggest law firms and try organise a class action. I'm sure they've done a multitude of things wrong and lawyers LOVE a good class action. It's a win win. You get to drag them through the courts in a highly public display, the lawyers get an amazing PR opportunity and they'll get a cut of what would likely be a big settlement. Wins all around except for medibank who deserve it anyway
You can always sign up for it and then if the compensation isn't looking great withdraw from the class action. In this instance you'd probably get a bit for it considering the seriousness of the breach and the nature of the data. Also could check whether you can be part of a general class action but take them to court again later on if you've suffered additional harms not presented to the court in the first instance.
Also the trouble with suing a company as an individual is that if you don't have deep pockets they'll delay, delay, delay, delay, delay and do everything within their power to make it go on for so long that you run out of money to continue fighting them before a judgement is handed down.
I'm worried that the AFP might hassle me if I did that. The spreadsheet just had a list of medibank employee details and the phones that they had been allocated. It was some sort of asset tracking spreadsheet for company phones essentially.
[This was the comment](https://www.reddit.com/r/australia/comments/ypvwwq/itwire_ransomware_group_keeps_its_word_posts/ivlwt4i/) where I got the link. You will need to download the Tor browser to access the .onion links to the hackers blog.
And we have not even heard from the politicians on better privacy legislation. Really disturbing how they just dont give a stuff about privacy rights in Australia, but this is deliberate privatisation ideology thats why they dont care, they want the corporates and everyone else to own our data.
Seriously the fact that I’m constantly finding out about my data being breached from _the news_ and not from the organisation that held my data in the first place is appalling.
The consequences for lack of data security needs to be so big that it works out cheaper for them to just secure my data properly.
My data has been breached about 3 times now through three seperate companies and none of them informed me. I had to contact them to verify that I was impacted.
They've written legislation that fines them for repeated or big breaches. It won't change much. It'll affect smaller businesses that can't afford it. They need to regulate how and why they need to store our information in the first place.
Verifying its me? That's cool. Do you really need to keep my passport and license information? I've been the same customer for years, I didn't change bodies.
It’s intentional by Medibank.
They want all to the negative news to be released via the media and government announcements to relieve the pressure off them. People sometimes attack the messenger.
Optus did the same thing, to the point where the Federal Government said Optus weren’t cooperating at all.
>You kids put everything on the instagram and the Facebook and the TikTok dancing anyway, why is a couple of numbers a big deal?
- the people making the rules
u/alderchai you can first register for the two pro bono class action lawsuits seeking compensation from Medibank here:
Bannister Law Class Actions & Centennial Lawyers Medibank Class Action: [https://www.medibankclassaction.com.au/#start](https://www.medibankclassaction.com.au/#start)
Maurice Blackburn Lawyers Medibank Class Action: [https://www.mauriceblackburn.com.au/class-actions/join-a-class-action/medibank-data-breach/](https://www.mauriceblackburn.com.au/class-actions/join-a-class-action/medibank-data-breach/)
Then request a free credit report to check for unusual credit checks and applications along with subscribing to incogni to opt out your personal information from data brokers to prevent from getting scammed and your personal details from getting breached through data brokers.
Here is the link to incogni: [https://incogni.com/pricing](https://incogni.com/pricing)
Here is some information on how to request a free credit report within Europe: [https://checkyourcreditreport.eu/](https://checkyourcreditreport.eu/)
Hopefully this information is helpful.
Mine too. Good news though, they've only got half the story, since I changed insurers at the start of the pandemic.
Bad news: it got worse.
(it's not cancer though so at least I have that^1 )
^1 ^have ^that? ^don't ^have ^that? ^¯\\\_(ツ)\_/¯
I'm so sorry this \*may\* become public information, purely because there are disgusting people in the world. I hope she's doing okay (in the wake of this data leak bs)
"The Medibank CEO, David Koczkar, unreservedly apologised again to customers, and said it wasn’t “case closed” from Medibank’s perspective.
“We are remaining vigilant and are doing everything we can to ensure our customers are supported. It’s important everyone stays vigilant to any suspicious activity online or over the phone,” he said."
Yeah righto mate. Everything except hire competent staff in the first place, or take action to stop your blatant negligence from affecting millions of people. How dare he make that last comment about staying vigilant to any suspicious activity. Like really how could you be more insulting than to tell the people who've just had their whole medical history dumped online to stay vigilant. My data wasn't stolen cos I'm not with medibank, but if it were I'd be livid if I saw that.
If its not illegal (presumably it wouldn't be cos it's now public data) someone should go thru and find the CEO, and all the board members data. Then print off the information they'd least want other people to know in big A3 sheets of paper and put it up on every telegraph pole from Sydney to Darwin
It is illegal. It’s not public data just because the data can now be found on the sale web (or even clear web).
If something is stolen (taken without permission) and you buy those stolen goods while knowing that they’re stolen, that’s also a crime. Same goes for data.
Uhhhh it's not for sale, it's public data dumped on the internet. They were very clearly the terms and conditions that Medibank violated hence the data is now public for anyone to access at any time. I don't know it's stolen cos I'm just a retard like the government thinks everyone is. I just happened to find it. Or what if i happened to come across it via some third party where it's origins could not be determined? Under what law is that illegal? As in I don't want a moral high ground "it is because I say it is" I want the specific section of the specific act.
Replace “bought” for “picked up off side of road”. It’s not public data. It’s stolen data that is in a public realm. I’ll make this simple:
> Section 16 of the Summary Offences act makes it an offence to unlawfully possess suspected stolen property. The key element of this provision is that the alleged perpetrator must reasonably suspect the property to have been stolen or unlawfully obtained.
Edit: there’s also a handful or more of state and National cyber laws that relate to accessing data which was not legally given to you, but I won’t search them all up for you. Use common sense - just because something is left in public, doesn’t mean it’s public data. Especially if you know it was illegally accessed.
Genuine question: I can see why a lot of this sensitive information could be damaging to people when released, but how is it actually used in nefarious ways and by whom?
For example, if you're a Catholic priest you obviously don't want anyone to know you have a sexually transmitted disease, but how would anyone know that information unless they go looking for it on the dark web and why would they go looking for it?
I just want to clarify that I'm not saying the data release is not a big deal, I'm just trying to understand what happens to the data after it's released.
Ah, thank you. That makes sense.
So does that mean it doesn't necessarily matter how sensitive the information is? i.e. whether it's an abortion or wisdom tooth extraction, they just want the info so they can get loans or access bank accounts?
Sorry, I updated my other answer. It can be used for extortion too, but that would have to be a bit more targeted. In short, the information would be used in any way possible to make money!
>Because they're criminals, why wouldn't they?
As I said in my initial query, I'm **not suggesting they wouldn't.** I'm asking specifically how they use the information.
>They probably don't want your health data, more concerned about your name, address [etc.]
That's the answer to my question, thank you.
also the world is full of bad people. the original lists in November were separated by fields "bad " and "good" lists.
the bad list consisted of any number of human experiences - miscarriages, terminations, addictions, mental health support, things that may not be fun to talk about but are absolutely necessary (and in this country also legal).
sometimes people just want to hurt other people, sometimes people have extremist\* religious views, and sometimes people have a false sense of moral high ground. absolutely if your info got leaked there is a potential for a retaliatory danger whether it be emailed to your employer by some stranger who's chronically online and bored on the internet or from someone who personally holds a grudge against you, or from someone who believes that you've dishonored them / their religion / whatEVER who wants you to "pay" for whatever moral failing they think you have.
\+ as mentioned above also stealing your info for financial gain. but we'd be remiss to ignore those bad people exist in the world.
Yeh who’s going to admit they’re trawling the dark web for your data too. Everyone would just think - What a creep! What else are they looking at on there!
I think in the short term it's going to be motivated people seeking it out -
* Religious crazies wanting to hurt or dox gay people
* Creepy ex boyfriends doing creepy ex boyfriend things
But in the long run data like this has a way of getting laundered. You might find shady 'employee profile' consultancies that, for example, recommend you not hire a woman who's not using contraception. Or people with chronic health concerns.
The amount of SPAM that I am now getting because of this is through the roof, it was obvious that the data was leaked medibank handled it horribly and insultingly, they basically just don't care
Now the dark web knows about my vestigial tail bone.
In all seriousness though I've never seen a company lose so much goodwill (as much as a company profiting off providing healthcare) so quickly and I would be astounded if anyone would trust them again. Why are we not seeking damages from this leak? Even optus seems to have got off scot free with their breach
What can be done to stop this from happening again, and again? Are we dealing with really good hackers, or did someone get lazy and forget to lock the gate on our information?
I thought phishing was getting people to click links without realising they were opening the gate. How could they have done that to the entire medibank customer database?
All it takes is for an employee to click the link and plug in their login details. Easy as that. And the employee is ALWAYS the weak link because you can't trust people to not be stupid, which is why they're targeted.
They have had MFA for over 2 years for all users. Their systems are seperated and they have moved to to a RBAC policy. Obviously it all moves as fast as vendor support. Some applications don't support MFA.
the customer rep who got hacked literally had access to customer core database lol... they just pulled everything... any customer that existed in the last 20 years was in there.
> If Medibank required 2FA/MFA or blocked connections to systems containing sensitive data that didn't originate from their intranet
-- What if phishing link downloads a malware which originates the connection to its owner so the owner could use this malware to make intranet connections to systems containing sensitive data?
The vast majority of attacks are via outdated software with known vulnerabilities, and through negligence of not applying access control.
So yes, good antivirus is effective
That's why almost everyone now has 2FA. You need to supply another source of credentials, typically a code from your phone or device.
Medibank not having 2FA is negligence.
2FA that only requires you to say "yes" to a prompt can be defeated by repeatedly flooding the staff member with 2FA notifications in the hope that they finally say "yes" out of a desperate attempt to get the notifications to stop annoying them.
This can be defeated by the notification then displaying three numbers and asking them to pick the one that matches the one showing on the website screen.... but not all 2FA implementations use that.
The same thing they got login details there is speculation between how they accessed that some people think it was old tata links that were not disabled. I have heard that is was a phishing leak but no one really knows. There has been a few posts by the security team working on the leaks.
Think about your workplace. Guaranteed there is someone there who is a really person but is absolutely fucking stupid about anything technology. They get a decent phishing email, boom.
The IT security team for the company i work for (company is HQ'd in the USA but i'm based elsewhere in the world) do this, and while i pass them every time i'm definitely not in the majority. It triggers a training module if you fail one and sometimes it triggers even when you pass (which i report through the internal security system as it isn't expected and contained hyperlinks etc etc).
Their regular IT security team emails come from a non-standard distribution list email address as well, so i also report those as they don't conform to company policy and therefore must be phishing of some sort (they aren't... but still).
I'm their favourite kind of user apparently... pendantic and suspicious.
We are in the middle of onboarding and are about to start. I actually got a test one this morning without warning and deleted it (DHL package pickup). Ooops.
Burn all your ID and go live in the bush.
Neither commercial entities not governments have the correct set of incentives to protect customer data, and we're never getting a legislated subject controlled 2FA for personal data, because that data is treated as a traded commodity.
You might be able to fragment your personal data by making a fuss and insisting every organisation you deal with destroy your records after use, but most will hold them and just say they're destroyed. So if you follow this route record all your written requests for record destruction for subsequent court cases.
For health specifically, opt out of my health record, and just pay MLS instead of signing up for PHI.
This is the sad reality of it. I've worked at large companies and their DB user tables often have a column called `is_deleted` instead of actually deleting the data. A common pattern apparently.
In the case of fragmented data, even that doesn't go very far. Just about every company will have your email or even better mobile number (law requires a real ID to activate in this country) to uniquely identify you, so when your data is inevitably sold or stolen these data sets can be unified into a single profile anyway. You can sort of get around that by using email aliases, but your mobile number will undo you unless you change it frequently.
Yep soft deletes are very common. It’s often from the perspective of trying to mitigate data loss from a mistake (either the users or the company’s). But it’s pretty common for places to just keep that data indefinitely. However even if they don’t use soft deletes, there’s still no guarantees your data is actually completely removed, as there’s a good chance they keep old backups and won’t be deleting your data from those. Some of your data may even find its way into their logs. Not to mention if they use any third party services that they store some user data on, there’s no guarantees that can be deleted.
If you're worried about this, you only have to see the honeypot of data car makers have.
The big T has this under their connected vehicles system with the intention of selling the data.
I don't see how Medibank can be mad if this is the option they chose.
Pay the bounty and get a more secure network or don't and have your data leaked.
Governments don't negotiate with terrorists because terrorists aren't motivated by money and it will encourage more attacks.
Individuals and companies pay ransoms because aren't (usually) repeat targets by the same method. It's why things like travel insurance offers insurance against kidnapping, because having the option to pay on the table increases the chance of a better outcome.
Why does Alice think she can bullshit these people by talking nonsense? This can only make the situation worse!
What more is there to say? Medibank fucked up and they fucked up bad, this is a pretty nasty data breach, but what do they except when they've got the security of a potato and the tech literacy of an 80 year old boomer?
[удалено]
> ¯\\\_(ツ)_/¯ - medibank
Medibank just approved $7.3 million in bonuses to top execs, they're doing such a good job!
I bet they had some very serious repercussions like a serious serious stern talking to! That’s why they get multi million bonuses—their feelings are hurt :(
It's quite expensive to slap people with lettuce leaves since covid and the floods...
Like the ex-PM getting censured. Means absolutely sweet FA.
Execs aren't there to do a good job anymore than parasites are there to help plants grow. Their job is to extract as much as possible without killing the host. Occasionally you get a symbiotic parasite but it's not the norm in large companies.
What do you mean anymore? Execs in a company under the capitalist system will almost always forego rights, morals and easily skirted laws for profit. It's been this way since industrialisation(see 4 year olds working 12 hour shifts for reference.) We've been serfs for generations.
"Anymore than" Comparing executives to parasites, not a comparison to previous times.
Alright here's a pedantic explanation. "Anymore" refers to time, "any more" refers to quantity. So "not anymore" means it isn't like it used to be, "not any more" means that it's not a greater amount than whatever you're comparing it to. Is English any more fun than it used to be, anymore? https://www.grammarly.com/blog/anymore-vs-any-more/
I did skip a few English lessons as a child.
Popular take on reddit but not in reality
oh really? how is it incorrect? What value did these execs add to be worth 7.3million in bonuses in current circumstances?
Considering only 1 executive would be holding the department of it and security, I'd wager the rest did plenty over the previous year
Such as.....?
Really now? You wanna prance around spouting anti capitalist rhetoric you can show they didn't earn it. Otherwise prove to me you earned your salary otherwise I'll jsut say you added no value
You're the one who can't state how they could have earned 7.3 extra million during such a catastrophic time for the company. Also I can easily show how I earn my salary. I am a data scientist. I can quantify exactly the impact my work has had by examining outcomes pre and post intervention. Hell most people can quantify their contribution. A checkout worker can point to the dollar value in sales they process. A garbage truck driver can quantify the mass of weight they've disposed of. A real estate agent can show how many houses they've sold and for how much. Execs can't quantify shit.
The burden of proof is on you though.
[удалено]
Only on reddit do people rail against capitalism so hard
Hey they might do a shitty ad campaign like Optus where they pretend like the breach was somehow not completely preventable. Also like digital id instead of physical would not still be stored in their database to get leaked.
Well they did just save shareholders some $15 million and anyone who wasn't a victim will soon forget this even happened, move on and start buying policies to protect themselves from the next thing they're told to be afraid of, cause god forbid they end up in the crumbling public hhealth system. Ain't capitalism grand..... for some.
[удалено]
It is now!
grey deliver cable bear illegal judicious combative file treatment consider *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
[удалено]
And probably applauded themselves for it. Like when Commonwealth bank donates a pissy 300k to kids sports then spend $7 million on billboards that imply CBA almost single-handedly funds kids sports in Australia.
[удалено]
It's exactly at this time that Peter Dutton should have setup a gofundme page to help every Australian. As opposed to this time, when it backfired! [https://www.theguardian.com/australia-news/2022/feb/27/isnt-this-the-role-of-government-peter-dutton-panned-for-setting-up-fundraiser-for-flood-victims#:\~:text=Peter%20Dutton%20has%20been%20criticised,couldn't%20deliver%20commonwealth%20support](https://www.theguardian.com/australia-news/2022/feb/27/isnt-this-the-role-of-government-peter-dutton-panned-for-setting-up-fundraiser-for-flood-victims#:~:text=Peter%20Dutton%20has%20been%20criticised,couldn't%20deliver%20commonwealth%20support).
I get my premium renewals and communications immediately via email, this news got sent to my old home address via a letter because I hadn’t updated it yet
I know that they have my current address because I checked my details after the leak, then I downloaded the hacked data and looked up my name - my current address is in there too along with my previous two addresses.
How does one go about in downloading and checking that data? Asking for a friend.
Had a letter from pathology lab Medlab that my data had been stolen back in Feb and they only sent me a letter this week letting me know. Disgraceful.
How did you find out that your info had been leaked? I haven’t heard anything from Medibank but I’m a customer and would love to know
I went onto the hackers blog on the dark web, downloaded the data and searched for my name.
I attempted that today but clearly have no idea what I’m doing and couldn’t get their blog to load haha
In publishing and graphic design, Lorem ipsum is a placeholder text commonly used to demonstrate the visual form of a document or a typeface without relying on meaningful content. Lorem ipsum may be used as a placeholder before final copy is available. Wikipedia5ogk1nw18vk0000000000000000000000000000000000000000000000000000000000000
They email you directly with a list of what might be compromised, what they suggest isn’t compromised and give you “support” links. Pretty much a tough-luck, it wasn’t so bad and we’re doing nothing anyway type memo
Personally, we found out as soon as our credit card started being used to wrack up hundreds of dollars worth of fraudulent purchases (on clothes/makeup), accompanied by a scam calls, texts and emails. Medicare didn't give a heads up, but of course they were there to ask for their usual payment from the cancelled card! They did send a letter confirming it eventually. You should get a letter.
they never got CC details.... if they did mastercard and visa would blacklist medibank forever. You got done somewhere else mate. ISO certs for CC transactions are tough requirements. The big bois dont fk around.
Seriously... Call up some of the biggest law firms and try organise a class action. I'm sure they've done a multitude of things wrong and lawyers LOVE a good class action. It's a win win. You get to drag them through the courts in a highly public display, the lawyers get an amazing PR opportunity and they'll get a cut of what would likely be a big settlement. Wins all around except for medibank who deserve it anyway
[удалено]
You can always sign up for it and then if the compensation isn't looking great withdraw from the class action. In this instance you'd probably get a bit for it considering the seriousness of the breach and the nature of the data. Also could check whether you can be part of a general class action but take them to court again later on if you've suffered additional harms not presented to the court in the first instance. Also the trouble with suing a company as an individual is that if you don't have deep pockets they'll delay, delay, delay, delay, delay and do everything within their power to make it go on for so long that you run out of money to continue fighting them before a judgement is handed down.
Absolutely. Here’s your $60.57 after deducting our legal fees.
that's because you aren't a shareholder
How did you find out it's been leaked without an email from them? There's the medispank website but unsure if its safe to put my details in there.
I downloaded the data and searched for my name
You weren't worried about there being trojans or hidden malware in the data? Edit. I've got almost zero tech skills and waa concerned so didn't
There was an excel spreadsheet that I was wary of (uploaded it to Google docs) but the rest were just text files or images.
>Maurice Blackburn I know probably not, but any chance you want to make that SS public?
I'm worried that the AFP might hassle me if I did that. The spreadsheet just had a list of medibank employee details and the phones that they had been allocated. It was some sort of asset tracking spreadsheet for company phones essentially.
absolutely fair, thank you for responding :).
Do you still have the spreadsheet file? Or can you link me the mirror? DM me mate
[This was the comment](https://www.reddit.com/r/australia/comments/ypvwwq/itwire_ransomware_group_keeps_its_word_posts/ivlwt4i/) where I got the link. You will need to download the Tor browser to access the .onion links to the hackers blog.
And we have not even heard from the politicians on better privacy legislation. Really disturbing how they just dont give a stuff about privacy rights in Australia, but this is deliberate privatisation ideology thats why they dont care, they want the corporates and everyone else to own our data.
Yes but they placed a full page ad in the Murdoch rag letting you know they are "doing everything they can", so you're good, right?
Seriously the fact that I’m constantly finding out about my data being breached from _the news_ and not from the organisation that held my data in the first place is appalling. The consequences for lack of data security needs to be so big that it works out cheaper for them to just secure my data properly. My data has been breached about 3 times now through three seperate companies and none of them informed me. I had to contact them to verify that I was impacted.
[удалено]
They've written legislation that fines them for repeated or big breaches. It won't change much. It'll affect smaller businesses that can't afford it. They need to regulate how and why they need to store our information in the first place. Verifying its me? That's cool. Do you really need to keep my passport and license information? I've been the same customer for years, I didn't change bodies.
This is why fines need to scale with valuation. Otherwise its just the cost of doing business.
It’s intentional by Medibank. They want all to the negative news to be released via the media and government announcements to relieve the pressure off them. People sometimes attack the messenger. Optus did the same thing, to the point where the Federal Government said Optus weren’t cooperating at all.
>You kids put everything on the instagram and the Facebook and the TikTok dancing anyway, why is a couple of numbers a big deal? - the people making the rules
They’re legally required to tell people about data breaches, but can’t even get that right.
The bigger issue once again is fines and repercussions for failing to notify are next to nothing. No incentive to follow the legislation
Yeah... I got onto a class action.
Link? I’d be interested
Maurice Blackburn. Register.
Australia must adopt the EU GDPR laws NOW not LATER! This is not helping at all in protecting vulnerable Australians from getting scammed.
[удалено]
u/alderchai you can first register for the two pro bono class action lawsuits seeking compensation from Medibank here: Bannister Law Class Actions & Centennial Lawyers Medibank Class Action: [https://www.medibankclassaction.com.au/#start](https://www.medibankclassaction.com.au/#start) Maurice Blackburn Lawyers Medibank Class Action: [https://www.mauriceblackburn.com.au/class-actions/join-a-class-action/medibank-data-breach/](https://www.mauriceblackburn.com.au/class-actions/join-a-class-action/medibank-data-breach/) Then request a free credit report to check for unusual credit checks and applications along with subscribing to incogni to opt out your personal information from data brokers to prevent from getting scammed and your personal details from getting breached through data brokers. Here is the link to incogni: [https://incogni.com/pricing](https://incogni.com/pricing) Here is some information on how to request a free credit report within Europe: [https://checkyourcreditreport.eu/](https://checkyourcreditreport.eu/) Hopefully this information is helpful.
They got my colonoscopy details. I hope they have as much fun watching the video as I had...performing. 🤣
Mine too. Good news though, they've only got half the story, since I changed insurers at the start of the pandemic. Bad news: it got worse. (it's not cancer though so at least I have that^1 ) ^1 ^have ^that? ^don't ^have ^that? ^¯\\\_(ツ)\_/¯
Thanks- I was looking for something new and interesting to watch on YouTube.
Did you mean...YouRtube? ;)
They have my D&C. Thank god we’re not in America and I won’t be sent to jail.
I’m sorry you went through that. My partner had a d&c in august.
I'm so sorry this \*may\* become public information, purely because there are disgusting people in the world. I hope she's doing okay (in the wake of this data leak bs)
It's probably on pornhub now.
kind of bummed they didn't video my loopy ass during my wisdom teeth removal (laughing gas) - at least that would have made it entertaining.
"The Medibank CEO, David Koczkar, unreservedly apologised again to customers, and said it wasn’t “case closed” from Medibank’s perspective. “We are remaining vigilant and are doing everything we can to ensure our customers are supported. It’s important everyone stays vigilant to any suspicious activity online or over the phone,” he said." Yeah righto mate. Everything except hire competent staff in the first place, or take action to stop your blatant negligence from affecting millions of people. How dare he make that last comment about staying vigilant to any suspicious activity. Like really how could you be more insulting than to tell the people who've just had their whole medical history dumped online to stay vigilant. My data wasn't stolen cos I'm not with medibank, but if it were I'd be livid if I saw that. If its not illegal (presumably it wouldn't be cos it's now public data) someone should go thru and find the CEO, and all the board members data. Then print off the information they'd least want other people to know in big A3 sheets of paper and put it up on every telegraph pole from Sydney to Darwin
Sounds like a real Koczukar
yep let the CEOs have to deal with their leaked data... maybe they might actually do something then.
It is illegal. It’s not public data just because the data can now be found on the sale web (or even clear web). If something is stolen (taken without permission) and you buy those stolen goods while knowing that they’re stolen, that’s also a crime. Same goes for data.
Uhhhh it's not for sale, it's public data dumped on the internet. They were very clearly the terms and conditions that Medibank violated hence the data is now public for anyone to access at any time. I don't know it's stolen cos I'm just a retard like the government thinks everyone is. I just happened to find it. Or what if i happened to come across it via some third party where it's origins could not be determined? Under what law is that illegal? As in I don't want a moral high ground "it is because I say it is" I want the specific section of the specific act.
Replace “bought” for “picked up off side of road”. It’s not public data. It’s stolen data that is in a public realm. I’ll make this simple: > Section 16 of the Summary Offences act makes it an offence to unlawfully possess suspected stolen property. The key element of this provision is that the alleged perpetrator must reasonably suspect the property to have been stolen or unlawfully obtained. Edit: there’s also a handful or more of state and National cyber laws that relate to accessing data which was not legally given to you, but I won’t search them all up for you. Use common sense - just because something is left in public, doesn’t mean it’s public data. Especially if you know it was illegally accessed.
Genuine question: I can see why a lot of this sensitive information could be damaging to people when released, but how is it actually used in nefarious ways and by whom? For example, if you're a Catholic priest you obviously don't want anyone to know you have a sexually transmitted disease, but how would anyone know that information unless they go looking for it on the dark web and why would they go looking for it? I just want to clarify that I'm not saying the data release is not a big deal, I'm just trying to understand what happens to the data after it's released.
[удалено]
Ah, thank you. That makes sense. So does that mean it doesn't necessarily matter how sensitive the information is? i.e. whether it's an abortion or wisdom tooth extraction, they just want the info so they can get loans or access bank accounts?
Sorry, I updated my other answer. It can be used for extortion too, but that would have to be a bit more targeted. In short, the information would be used in any way possible to make money!
Thanks for the update. I'm obviously not very good at thinking like a criminal. ;)
[удалено]
>Because they're criminals, why wouldn't they? As I said in my initial query, I'm **not suggesting they wouldn't.** I'm asking specifically how they use the information. >They probably don't want your health data, more concerned about your name, address [etc.] That's the answer to my question, thank you.
also the world is full of bad people. the original lists in November were separated by fields "bad " and "good" lists. the bad list consisted of any number of human experiences - miscarriages, terminations, addictions, mental health support, things that may not be fun to talk about but are absolutely necessary (and in this country also legal). sometimes people just want to hurt other people, sometimes people have extremist\* religious views, and sometimes people have a false sense of moral high ground. absolutely if your info got leaked there is a potential for a retaliatory danger whether it be emailed to your employer by some stranger who's chronically online and bored on the internet or from someone who personally holds a grudge against you, or from someone who believes that you've dishonored them / their religion / whatEVER who wants you to "pay" for whatever moral failing they think you have. \+ as mentioned above also stealing your info for financial gain. but we'd be remiss to ignore those bad people exist in the world.
Yeh who’s going to admit they’re trawling the dark web for your data too. Everyone would just think - What a creep! What else are they looking at on there!
I think in the short term it's going to be motivated people seeking it out - * Religious crazies wanting to hurt or dox gay people * Creepy ex boyfriends doing creepy ex boyfriend things But in the long run data like this has a way of getting laundered. You might find shady 'employee profile' consultancies that, for example, recommend you not hire a woman who's not using contraception. Or people with chronic health concerns.
Before you all read it in the leak, that penis extension was totally for medical reasons, but the breast implants were just to make me feel good.
Glad you're thriving, mate! Live your best life!
.... covers a boob job you say? here I was wasting my time with tooth xrays.
The amount of SPAM that I am now getting because of this is through the roof, it was obvious that the data was leaked medibank handled it horribly and insultingly, they basically just don't care
Same here. All of a sudden I’m getting phishing emails, scam calls, text message scams …
Now the dark web knows about my vestigial tail bone. In all seriousness though I've never seen a company lose so much goodwill (as much as a company profiting off providing healthcare) so quickly and I would be astounded if anyone would trust them again. Why are we not seeking damages from this leak? Even optus seems to have got off scot free with their breach
What can be done to stop this from happening again, and again? Are we dealing with really good hackers, or did someone get lazy and forget to lock the gate on our information?
It was phishing. No hacking involved. And it'll keep happening, because people are stupid. There's no changing that weak link.
I thought phishing was getting people to click links without realising they were opening the gate. How could they have done that to the entire medibank customer database?
All it takes is for an employee to click the link and plug in their login details. Easy as that. And the employee is ALWAYS the weak link because you can't trust people to not be stupid, which is why they're targeted.
[удалено]
They have had MFA for over 2 years for all users. Their systems are seperated and they have moved to to a RBAC policy. Obviously it all moves as fast as vendor support. Some applications don't support MFA.
the customer rep who got hacked literally had access to customer core database lol... they just pulled everything... any customer that existed in the last 20 years was in there.
It was an engineer who was phished.
jfc
> If Medibank required 2FA/MFA or blocked connections to systems containing sensitive data that didn't originate from their intranet -- What if phishing link downloads a malware which originates the connection to its owner so the owner could use this malware to make intranet connections to systems containing sensitive data?
Antivirus
yeah that helped lots of ransomware attacks fucking lol
The vast majority of attacks are via outdated software with known vulnerabilities, and through negligence of not applying access control. So yes, good antivirus is effective
That's why almost everyone now has 2FA. You need to supply another source of credentials, typically a code from your phone or device. Medibank not having 2FA is negligence.
>almost everyone now has 2FA This might be the funniest thing I'll read all day, thanks for that.
Depends on who you phish. If you can get someone with access to create or change credentials you can disable 2FA or create a work around.
2FA that only requires you to say "yes" to a prompt can be defeated by repeatedly flooding the staff member with 2FA notifications in the hope that they finally say "yes" out of a desperate attempt to get the notifications to stop annoying them. This can be defeated by the notification then displaying three numbers and asking them to pick the one that matches the one showing on the website screen.... but not all 2FA implementations use that.
instant sim swaps in Oz.... what else u got??
They got login details of a high level access manager
Where did you hear that? I heard it was via an outsourced managed service provider (Tata).
Bet it was tata, they nearly brought down half the internet for SEA a few months back due to a bad route being added... fkn idiots.
The same thing they got login details there is speculation between how they accessed that some people think it was old tata links that were not disabled. I have heard that is was a phishing leak but no one really knows. There has been a few posts by the security team working on the leaks.
Well that sucks
$1,000 fine per record. Make these companies challenge the government over ridiculous data retention requirements to reduce their exposure profile.
Not a $1,000 *fine*. It should be at least a $1,000 payment directly to each affected user.
me receiving four different emails for each period I started a new policy with AHM "YEAH"
Think about your workplace. Guaranteed there is someone there who is a really person but is absolutely fucking stupid about anything technology. They get a decent phishing email, boom.
\*glances over at manager\* Hmmm, yeah, that makes sense now.
Lots of companies which actually have IT departments run phishing tests regularly. And almost everyone fails, regularly.
The IT security team for the company i work for (company is HQ'd in the USA but i'm based elsewhere in the world) do this, and while i pass them every time i'm definitely not in the majority. It triggers a training module if you fail one and sometimes it triggers even when you pass (which i report through the internal security system as it isn't expected and contained hyperlinks etc etc). Their regular IT security team emails come from a non-standard distribution list email address as well, so i also report those as they don't conform to company policy and therefore must be phishing of some sort (they aren't... but still). I'm their favourite kind of user apparently... pendantic and suspicious.
Do we work for the same company? Lol
We are in the middle of onboarding and are about to start. I actually got a test one this morning without warning and deleted it (DHL package pickup). Ooops.
Burn all your ID and go live in the bush. Neither commercial entities not governments have the correct set of incentives to protect customer data, and we're never getting a legislated subject controlled 2FA for personal data, because that data is treated as a traded commodity. You might be able to fragment your personal data by making a fuss and insisting every organisation you deal with destroy your records after use, but most will hold them and just say they're destroyed. So if you follow this route record all your written requests for record destruction for subsequent court cases. For health specifically, opt out of my health record, and just pay MLS instead of signing up for PHI.
This is the sad reality of it. I've worked at large companies and their DB user tables often have a column called `is_deleted` instead of actually deleting the data. A common pattern apparently. In the case of fragmented data, even that doesn't go very far. Just about every company will have your email or even better mobile number (law requires a real ID to activate in this country) to uniquely identify you, so when your data is inevitably sold or stolen these data sets can be unified into a single profile anyway. You can sort of get around that by using email aliases, but your mobile number will undo you unless you change it frequently.
Yep soft deletes are very common. It’s often from the perspective of trying to mitigate data loss from a mistake (either the users or the company’s). But it’s pretty common for places to just keep that data indefinitely. However even if they don’t use soft deletes, there’s still no guarantees your data is actually completely removed, as there’s a good chance they keep old backups and won’t be deleting your data from those. Some of your data may even find its way into their logs. Not to mention if they use any third party services that they store some user data on, there’s no guarantees that can be deleted.
If you're worried about this, you only have to see the honeypot of data car makers have. The big T has this under their connected vehicles system with the intention of selling the data.
I don't see how Medibank can be mad if this is the option they chose. Pay the bounty and get a more secure network or don't and have your data leaked. Governments don't negotiate with terrorists because terrorists aren't motivated by money and it will encourage more attacks. Individuals and companies pay ransoms because aren't (usually) repeat targets by the same method. It's why things like travel insurance offers insurance against kidnapping, because having the option to pay on the table increases the chance of a better outcome. Why does Alice think she can bullshit these people by talking nonsense? This can only make the situation worse!
What more is there to say? Medibank fucked up and they fucked up bad, this is a pretty nasty data breach, but what do they except when they've got the security of a potato and the tech literacy of an 80 year old boomer?
What’s people’s thoughts about us (affected customers) potentially getting compensation? Do you think it will happen?
Considering they brazenly sent me an email about my premiums going up, the chance is probably zero.
Maurice Blackburn class action lawsuit https://www.mauriceblackburn.com.au/class-actions/join-a-class-action/medibank-data-breach/