The catastrophic Medibank data breach of October 2022 impacted 9.7 million current and former customers, exposing account details and sensitive personal information that made its way to the dark web.
In 2022, a Russian threat actor launched a ransomware attack against Medibank. After the company refused to pay the $15 million ransom, he released sensitive information regarding insurance claims onto the dark web. This included personal details of customers with drug and alcohol related conditions, mental health issues and more.
The OAIC, operating under new cybersecurity governance, has taken the unusual step of starting civil proceedings against Medibank as they allege the company failed to take reasonable steps to protect customer data. The scale of the potential damages is eyewatering, with a maximum penalty of $2m per contravention of the Privacy Act.
Bringing the case, the OAIC is effectively claiming negligence on the part of Medibank who, with annual revenues of $7 billion and profits of $560 million could have done much more to ensure the protection of its customers’ data.
Shifting sands
Starting with the GDPR in 2018, global data protection and cybersecurity legislation has been dragged kicking and screaming into the 21st century. New legislation in Europe, the UK, the US and Australia includes increased powers for government, a greater emphasis on transparency and notification in the event of a breach, and significantly harsher financial penalties.
In a connected world, where digital services are delivered to the edge of increasingly borderless infrastructure, data is more vulnerable than ever. Networking and cybersecurity professionals are tasked with maintaining the confidentiality, authenticity and integrity of data as it traverses myriad private and public networks.
These networks are not inherently secure. Despite the global impetus behind zero trust architecture, the constant litany of breach headlines proves there is still a long way to go. According to a 2022 survey of more than 2,700 businesses, almost 40% of respondents indicated that just 21-40% of their cloud data was encrypted. That’s just not good enough.
A tipping point
There must come a point at which organisations look beyond the cost of implementing zero trust networks and balance it against the costs of breach penalties. The GDPR has demonstrated that its bite is equally as bad as its bark, with a record-breaking $1.2 billion fine issued to Meta in 2023. The Equifax breach in 2017 resulted in penalties of around $600 million for “failure to take reasonable steps to protect its network”. In 2022 T-Mobile agreed a $350 million settlement in a class action lawsuit for a breach that occurred the year before and the supply chain vulnerability that saw Home Depot lose the credit card numbers and email addresses of over 50 million customers resulted in penalties of $200 million.
Of course, financial penalties aren’t the only consequence of a breach. The IBM Annual Cost of a Data Breach report puts the average cost at $4.45 million worldwide (a combination of detection, containment and response). Share prices take an average 5% hit when a breach is announced and the long-term impact of a loss of brand reputation and customer trust is incalculable.
Trust nothing, encrypt everything.
