All of Medibank’s stolen data leaked, Australia increases maximum penalties for data breaches

Australian health insurance provider Medibank has confirmed that another batch of the customer data stolen in the recent breach has been leaked.

“We are conducting further analysis on the files today and at this stage believe there are 6 zipped files in a folder called ‘full’ containing the raw data that we believed the criminal stole,” the company said. They previously confirmed that data of 9.7 million of its current and former customers was stolen.

The current situation

Medibank is making an effort to minimize the bad news, somewhat, by saying that much the data leaked is incomplete and hard to understand.

“For example, health claims data released today has not been joined with customer name and contact details,” the company claims.

Also, that “there are currently no signs that financial or banking data has been taken,” and that “the personal data stolen, in itself, is not sufficient to enable identity and financial fraud.”

Simultaneously, they are also asking “the media and others” to “not to unnecessarily download sensitive personal data from the dark web and to refrain from contacting customers directly.”

There’s no doubt that, given the sensitive nature of the compromised and leaked data, the support program they set up is very comprehensive, offering free identity monitoring services, counseling and resources for mental health support, hardship support, and so on. Nevertheless, this all might be of cold comfort to those affected.

High-profile data breaches pushed Australia to increase fines

Also on Thursday, the Office of the Australian Information Commissioner (OAIC) – which is the national data protection authority for Australia – has announced the start of an investigation into the personal information handling practices of Medibank.

“The OAIC’s investigation will focus on whether Medibank took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure. The investigation will also consider whether Medibank took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs),” the OAIC stated.

“If the OAIC’s investigation satisfies the Commissioner that an interference with the privacy of individuals has occurred, the Commissioner may make a determination that can include requiring Medibank to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage. If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.”

The Medibank breach and other recent high-profile data breaches at big Australian companies (e.g., Optus) have spurred the Australian parlament to vote in legislation that has increased the fines Australian business face if hit with data breaches.

“The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 increases the maximum penalties for serious or repeated privacy breaches from the current $2.22 million penalty to whichever is the greater of: $50 million; three times the value of any benefit obtained through the misuse of information; or 30 per cent of a company’s adjusted turnover in the relevant period,” Mark Dreyfus, Australian’s Attorney-General, explained.

“These new, larger penalties send a clear message to large companies that they must do better to protect the data they collect.”