Australia is tightening its oversight of Medibank and will assess whether further regulatory action is needed, following a data breach that affected 9.7 million customers. The insurance group has also pledged to share the results of an external review of the breach, believed to be the work of Russian hackers.
Noting that the breach raised concerns about the robustness of Medibank’s operational risk controls, the Australian Prudential Regulatory Authority (APRA) said on Monday it had “intensified” its oversight of Medibank. Consulting firm Deloitte had been commissioned to review the security incident as well as Medibank’s response and the effectiveness of its controls.
The financial services regulator said it would determine whether further regulatory action was needed when the findings of the external review were established.
APRA member Suzanne Smith said: “APRA expects Medibank to undertake all recommended corrective actions and to ensure that there is appropriate consequence management, including impacts on the executive compensation, if any.”
The government agency added that it would further intensify oversight of any entities that fail to comply with the country’s prudential information security standard CPS 234, which outlines the steps they must take to remain resilient in the face of to cybersecurity incidents.
“Recent cyberattacks reinforce the need for continued vigilance and board focus on operational resilience,” Smith said. “They are a stark reminder to boards to make sure they can answer these fundamental questions: Do you know what data you have? Do you know where it is? How do you know it’s safe? And should you keep them?
“Cybersecurity is a very significant risk area for all regulated entities and we remind banks, insurers and pension funds to remain vigilant in order to protect their beneficiaries and the Australian community,” she added.
In response, Medibank CEO David Koczkar said on Monday he had been consulting with APRA on the scope of the external review, which he had commissioned Deloitte to undertake.
“We will share key findings and implications of the review, as appropriate, taking into account the interests of our customers and stakeholders and the ongoing nature of the Australian Federal Police (AFP) investigation,” said Koczkar.
Earlier this month, police said Russian-based hackers were responsible for the breach, adding that they were working on “covert measures” with their international networks, including Interpol.”
AFP Commissioner Reece Kershaw said: “Our intelligence points to a group of loosely affiliated cybercriminals who are likely responsible for significant past breaches in countries around the world. These cybercriminals operate like a business with affiliates and associates who support the business. We also believe that some affiliates may be in other countries.”
Adding that his team knew but did not reveal the identities of the people behind the attack, Kershaw said ongoing investigations were focused on all parties involved. “What I will say is that we will have interviews with Russian law enforcement about these individuals,” he said.
AFP oversees the Australian National Central Bureau of Interpol, which is in direct contact with the National Central Bureau in Moscow.
Kershaw noted that Interpol’s National Central Bureaus could seek the cooperation of any other National Central Bureau in investigations that cross local borders. “It is important to note that Russia benefits from intelligence sharing and data shared through Interpol, and with that comes responsibility and accountability,” he said.
Medibank posted updates on the data compromised in the breach which appeared on a dark web forum. In a Nov. 20 statement, he confirmed that four more files containing 1,496 recordings had been released online, including 123 recordings from files previously released by the hackers.
Koczkar said the company would not pay any ransom, based on the advice of cybercrime experts and the belief that there was only a limited chance it would prevent the publication of its customers’ data. “Paying could have the opposite effect and encourage the criminal to extort our customers directly, and there’s a good chance paying could put more people at risk by making Australia a bigger target,” he said. declared.
The Australian government this month passed legislation to increase financial penalties for data privacy violators, raising the maximum fines for serious or repeated breaches to 50 million Australian dollars ($32.34 million), down from the current A$2.22 million, three times the value of any benefit. obtained through the misuse of data, or 30% of the company’s adjusted revenue during the relevant period, whichever is greater.
#Australia #steps #review #Medibank #data #breach