Following the news this morning that Medibank, Australia’s biggest health insurer has suffered a data breach, cybersecurity experts reacted below.
Following the news this morning that Medibank, Australia’s biggest health insurer has suffered a data breach, cybersecurity experts reacted below.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
News that a data breach may have enabled access to the PHI & PII of potentially four million Australian is unsettling, if only because every medical and healthcare facility at this point should know that they are one of the prime targets of cyber-attacks. Each and every medical and health organization needs to believe firmly that they are currently or soon will be under sustained attack and should therefore plan accordingly and assume a defensive cybersecurity posture. Adopting this defensive posture means not only applying traditional perimeter security and other base-level controls but also protecting the sensitive data itself. Through protection methods such as tokenization and format-preserving encryption, organizations can guard sensitive data from ever being compromised, even if that data falls into the wrong hands.
The usual warnings apply for Medibank customers, who will need to stay on guard against phishing attempts using the harvested information from this breach. Unfortunately, the breach includes information about patients’ diagnosis and procedures, meaning that could be used in phishing attempts to create a sense of urgency, possibly spurring patients to react in a way that can cause them to fall for scams.
This one begs the question if multifactor authentication was in place. Especially if the compromised account had a level of access to view that amount of customer data.
The Medibank breach highlights the dangers of irreparable damage with the rising sophistication of nation state sponsored threat actors when coupled with lack of zero trust policies. Such threat actors have advanced toolkits at their disposal that can render conventional cyber protection useless.
Businesses and governments should adopt advanced solutions such as stealth networking to combat these advanced threats. Prevention is better than cure and stealth networking obfuscates sensitive corporate resources and flows of value making them virtually impossible to target in the first place.
It seems like things are going from bad to worse for Medibank. The company initially said very few customers had been impacted by the breach, yet they have now revealed all customers were actually impacted.
This is bad news for Medibank customers as attackers have had free-reign access to their data, even though they were initially led to believe it was safe. It’s also terrible for Medibank’s reputation and they are going to struggle to recover from this incident.
Everyday businesses that are supposed to protect customer data get breached, and it is real people who must deal with the aftermath. Businesses must do more to protect the data they hold, but the methods they employ are unfit to fulfil those security purposes.
In almost all security breaches, hackers don’t hack in, they log in. They steal credentials without any obstacles because employees make and control the digital keys (passwords), to access an organisation’s network.
Consumers pay the price through monetary, identity and data theft, while organisations’ only remediation is to offer a free Experian credit monitoring account, or a new bank card, passport or driving licence. But this is far from being fool proof or acceptable as there is some data in life that simply can’t be changed. Who can change their date of birth, or name, or face? When a company is breached and this type of information lands in the hands of cybercriminals, it stays there, forever.
The only way to successfully counter this problem is through access encryption. Where passwords are protected from the knowledge of the employees themselves so criminals can’t steal or phish them.