Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
Business
business reporter Emilia Terzon

Medibank, Optus hacks and ATO attacks expose identity-theft risks, warn cyber security experts

The Australian Tax Office has revealed it gets 3 million attempted hacks on its systems every month, in a staggering indication of why all companies and organisations should be worried about breaches to their customers' data.

Healthcare provider Medibank is the latest high-profile company to be hit by a cyber attack

In a statement, Medibank has now admitted that the personal data of some of its customers has been stolen in the cyber attack, including Medicare information, policy numbers, and some claims data.

It follows the breach on telco Optus, where hackers claimed to have accessed the data of 9.8 million current and former customers, including their passports, drivers licences and Medicare card details.

These hacks leave their customers vulnerable to identity theft, which can also lead to financial crime.

The concerning thing for both consumers and customers is that there are probably many other breaches routinely happening that aren't going identified.

"Boards are still not taking this issue seriously enough. There's definitely been improvements but these still attacks are still occurring," Professor Sanjay Jha from the UNSW Institute for Cybersecurity (IFCYBER) said.

"There is the prominent ones, but also lots and lots of less prominent ones.

"We have captured too much data all over the place.

"Everyone should be panicking. There is a lot at stake. Public confidence is very low."

What will be going on inside Medibank right now?

Fergus Hanson from ASPI's International Cyber Policy Centre told ABC News that the Medibank hack was particularly concerning because of the sorts of personal healthcare data that criminals could have gotten their hands on.

"It's a ruthless industry where (criminals will) do anything to get their money," he said.

Medibank first reported "unusual activity" had been detected on its network on October 12. The situation is still developing and Medibank has not revealed yet how many of its customers should be worried.

"I don't think anyone's ever on top of a situation like this straightaway," ASPI's Fergus Hanson said.

"What tends to happen is it takes a few days to understand exactly what happened and the extent of the compromise."

"Initially, it looked like they thought it might have been a service disruption that they were up against rather than a breach and as the situation has evolved, I think they've come to the realisation they've also had a data breach."

The IFCYBER's Professor Jha said that Medibank's forensic tech specialists would be racing to trace who had accessed its systems.

He said every system has logs or files that show data access history.

"There will be investigations, there will be a committee set up. It will involve experts, and these people know the technology very well," Professor Jha said. 

"So they will go through the logs inside different servers, network logs to see what kind of traffic was going in and out of the network.

"Which servers were either attended to or compromised, and they will go through database transaction logs to see who has access what and was that legitimate or not.

"Possibly also, someone will ask questions about their processes, if they have the risk assessment and penetration testing and other things in place, and is it is happening on a regular basis."

Basically, the company would be in detective mode to retrace data access, and it would be figuring out if it had enough protections in place.

Medibank said when the "unusual activity" was detected last week, it took the "precautionary action to temporarily block and isolate access".

Are companies doing enough to protect customer data?

This brings us back to Professor Jha's concerns that too much data is being collected.

Think about all the sorts of companies that you give data to these days.

It's now commonplace when you go to a fashion website to be asked to sign up to a newsletter. Retailers often ask people to sign up to loyalty schemes instore. Many of them do it for seemingly innocuous marketing purposes.

"We need to come to a regime where it should be on need-to-know basis, and there should be expiration dates (on collected data)," Professor Jha said.

"If you're buying a bottle of wine, they don't need to know your data.

"I do not want a company sending me emails 10 years down the track about their product because I use their services once."

Professor Jha said there was personal information protection software that people can use, however, it is unclear if major companies are allowing this to interact with their systems.

He wants companies to take this issue much more seriously.

"Partly, we need to harden our defences, partly executives need to take cybersecurity much more seriously, and partly, we need different types of regulation that try to deter cyber criminals from targeting Australian firms in the first place," he said.

Just this week, the Australian Tax Office's second commissioner Jeremy Hirschhorn made a speech highlighting the need to take these issues more seriously.

The ATO would be a prime example of an authority that is worried about a cyber hack, given the extreme amount of personal information it collects about all Australians for tax purposes.

In his speech, second commissioner Hirschhorn revealed the ATO is fending off 3 million attempted hacks on its systems every month.

"In the time it takes me to make this speech, there will be 4,000 attempted hacks on the ATO's system," he said.

"Someone recently described to me that data is not gold: it's uranium.

"Before you get, it you better know how you’re going to use and store it, and there needs to be very good reasons to take the risk.

"I would also acknowledge here that we recognise not all tax professionals (or their clients) have the same level of capability or access to digital services.

"We know we can't simply haul up the drawbridge and protect our castle, especially as we move into an integrated tax ecosystem.

"We want clients and their advisers to be able to continue to interact with us digitally, and with relative ease."

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.