Information Technology

Medibank has confirmed more customer details compromised in a recent security breach have popped up on a dark web forum, describing the illegal sale as a disgrace. The Australian health insurer is refusing to fork out any ransom payment for the data, pointing to expert advice and government guidelines. “The weaponisation of people’s private information in an effort to extort payment is malicious and an attack on the most vulnerable members of our community,” Medibank CEO David Koczkar said in a statement Thursday. “The release of this stolen data on the dark web is disgraceful.”The company urged the public against downloading the data, which hackers last week had threatened to begin releasing on the forum. Reports have pegged ransom demands upwards of $10 million, or $1 for each compromised customer account.First announced last month, the security breach compromised the personal data of 9.7 million current and former customers as well as some of their authorised representatives. Amongst those impacted were 1.8 million international customers. According to Medibank, the hackers did not access primary identity documents such as drivers’ licences for local customers, or credit card and banking information. However, they were able to access data such as names, dates of birth, addresses, phone numbers, and email addresses. Health claims data of 480,000 customers also were leaked, including locations where they had received medical services and codes linked to diagnoses and procedures administered. Medibank on Wednesday ascertained the files had surfaced on the forum and appeared to be a sample of data that was leaked, which included passport numbers of some customers who were international students. The insurer said it expected more batches to be released and would inform customers whose data had popped up on the forum. Koczkar said the company had no plans to pay any ransom to the hackers behind the data theft. “Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” he said Monday in a statement to the Australian Stock Exchange. “Paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.””It is for these reasons we have decided we will not pay a ransom for this event,” he said. “This decision is consistent with the position of the Australian government.”Medibank said it was providing support to customers impacted by the breach through its Cyber Response Support Program, which included identity protection, financial measures, and mental wellbeing support.It added that it had beefed up existing monitoring of its network, adding detection, analytics, and forensics capabilities across its systems. It noted that it was required by law to retain some customer information for at least seven years from when the customer leaves. Australia passes law to increase breach penaltiesMeanwhile, Australia’s proposed legislation to increase financial penalties for data privacy violators was passed Wednesday. It pushes up maximum fines for serious or repeated breaches to AU$50 million ($32.34 million), from its current AU$2.22 million, or three times the value of any benefit obtained through the data misuse, or 30% of the company’s adjusted turnover in the relevant period, whichever is greater. The Bill also empowers the Australian Information Commissioner to resolve privacy breaches and more quickly share information about data breaches.A Sydney man on Tuesday pleaded guilty for attempting to blackmail customers affected by the Optus data breach in September. Australia Federal Police Assistant Commissioner Cyber Command Justine Gough said Wednesday it would seek out hackers responsible for cybersecurity attacks, such as the Medibank breach, even if they were based overseas. “We have significant powers, determination and access to international law enforcement networks to help investigate this breach,” Gough said. “This is not just an attack on an Australian business. Law enforcement agencies across the globe know this a crime type that is borderless and requires evidence and capabilities to be shared.””It is an offence to buy stolen data, which could be used for financial crimes,” he said, urging customers impacted by the Medibank data breach to report to the police if the hackers attempted to contact them with ransom demands. “Blackmail is an offence and those who misuse stolen personal information for financial gain face a penalty of up to 10 years’ imprisonment.”According to the Office of the Australian Information Commissioner (OAIC), there were 396 reported data breaches between January and June 2022, a 14% dip compared to July to December 2021.Some 41% of all breaches, or 162 notifications to OAIC, were the result of cybersecurity incidents. The majority of cyber incidents, 51 notifications, involved ransomware, while 42 were due to phishing.The Office added that 24 data breaches affected at least 5,000 Australians, including four that affected at least 100,000 Australians. With the exception of one reported case, all of these data breaches were caused by cyberssecurity incidents.Australian Information Commissioner and Privacy Commissioner Angelene Falk said: “Recent data breaches have brought attention to the importance of organisations securing the personal information they are entrusted with and the high level of community concern about the protection of their information and whether it needs to be collected and retained in the first place. I urge all organisations to review their personal information handling practices… Only collect necessary personal information and delete it when it is no longer required.”The OAIC report also found that 71% of entities notified the Office within 30 days of becoming aware of an incident, compared to 75% in the previous period.Falk said: “As the risk of serious harm to individuals often increases with time, organisations that suspect they have experienced an eligible data breach should treat 30 days as a maximum time limit for an assessment and aim to complete the assessment and notify individuals in a much shorter timeframe.”RELATED COVERAGE More

Getty Images/iStockphoto Google has released a security update for its Google Chrome browser on Windows, Mac and Linux to fix ten security vulnerabilities, some of which could allow remote attackers to crash vulnerable systems.  Google has detailed some of the fixes in a Google Chrome release update – although the company is currently withholding full […] More

Getty Images A year is a long time in cybersecurity.   Certainly, there are some constants. Ransomware has been a major cybersecurity issue for years, but shows no signs of going away as cyber criminals continue to evolve their attacks. And significant numbers of enterprise networks remain vulnerable, often as a result of security flaws for […] More

Image: Getty Microsoft has released 64 patches addressing security vulnerabilities across its products including 11 flaws that are classed as critical – and six vulnerabilities that are actively being exploited by cyber attackers.   The security flaws impact Microsoft products including Windows, Microsoft Azure, Microsoft Exchange Server, Microsoft Office and more, some of which have […] More

Image: Getty Images / Westend1 Almost a third of chief information security officers (CISOs) and IT security managers in the UK and US are considering leaving their current organization, according to new research. Not only that, but a third are planning to quit their jobs within the next six months. Cybersecurity firm BlackFog surveyed over […] More

A recent data breach that hit eight Shangri-La hotels is unlikely to have a large impact on foreign government delegates who attended a high-level defence summit in Singapore, which was held at the hotel. Hackers claiming to have instigated the attack apparently have made contact with the hotel chain. Shangi-La Group said Friday it received an email from senders who claimed responsibility for the data security breach that it announced on September 30. As a precaution, the hotel group said it informed the relevant law enforcement and regulators about the email. It added that more details would be provided when it had more to share. The data breach had affected eight of its hotels, including in Singapore, Taipei, Tokyo, Hong Kong, and Chiang Mai. In an email the hotel chain sent to affected guests, Shangri-La Group’s senior vice president of operations and process transformation Brian Yu said a “sophisticated threat actor” had bypassed the company’s cybersecurity monitoring systems undetected and “illegally accessed the guest databases”. Its investigation determined that the breach had occured between May and July this year, Yu said. The affected databases had contained personal information such as names, phone numbers, and email addresses as well as membership numbers and reservation dates. According to Yu, data such as passport numbers, identification numbers, dates of birth, and credit card numbers were encrypted. ZDNET emailed Shangri-La with questions on how the breach occurred, why it was undetected for four months, and what the hackers had asked for it their email. This article will be updated when the hotel responds. In a statement following the incident, Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD) said it was notified about the breach in the evening of September 29. It said personal data of more than 290,000 customers in Hong Kong might have have been compromised in the breach, which affected three local hotels including Kowloon Shangri-La.Expressing disappointment that customers as well as PCPD were only informed more than two months after Shangri-La was aware of the incident, the Hong Kong privacy commissioner said it had commenced a compliance check on the breach.Singapore on Monday said it also was working with the hotel group to improve safeguards. Defence ministers from around the globe, including the US, Japan, and Australia, had gathered at a defence summit held at Shangri-La Singapore in June, during which the hotel’s database already had been infiltrated and the breach undetected. The impact on guests, though, was likely to be “minimal”, said Singapore’s Ministry of Communications and Information (MCI) in a written parliamentary response. “The majority of the Shangri-La hotel guests who attended the 19th Shangri-La Dialogue, especially dignitaries, registered in groups through their embassies without submitting their personal details,” MCI said, adding that some hotel guests who provided their personal particulars had been contacted by the hotel group about the breach. While the impact on the summit was “likely to be minimal”, MCI said Singapore’s Defence Ministry was taking further steps with the summit organiser as well as Shangri-La to “enhance safeguards”.  RELATED COVERAGE More

Image: Getty/MoMo Productions Cyber crooks are making almost 1,000 attempts to hack account passwords every single second – and they’re more determined that ever, with the number of attacks on the rise. The figures come from Microsoft’s Digital Defense Report 2022 and are based on analysis of trillions of alerts and signals collected from the […] More

Image: Hinterhaus Productions/GETTY Cloud adoption is not slowing down, but that doesn’t mean 2023 is going to be an easy year for users of on-demand computing services. According to a recent report by tech analyst Gartner, worldwide consumer spending on public cloud services is forecast to grow 20.7% to $591.8 billion in 2023, up from […] More