Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Australia Crime

After Ransomware Gang Releases Sensitive Medical Data, Australia Vows Consequences (sbs.com.au) 58

Last week Australia's bigest health insurer, Medibank, said that data on all 4 million of its customers was breached. Now the group behind that breach "have since released more sensitive details of customers' medical records on the dark web, including data on abortions and alcohol issues," reports Australia's public broadcaster.

Their article points out that the release "follows Medibank's refusal to pay a ransom for the data, with almost 500,000 health claims stolen, along with personal information." But what's really interesting is that article's headine:

" 'Hunt down the scumbags': Australian government to 'hack the hackers' behind Medibank breach" The Australian government is going to "hunt down the scumbags" responsible for the Medibank hack that compromised the private information of nearly 10 million customers, cyber security minister Clare O'Neil said.... "Around 100 officers around these two organisations will be a part of this joint standing operation, and many of these officers will be physically co-located from the Australian Signals Directorate," she said. Ms. O'Neil said the officers will "show up to work every day" with the "goal of bringing down these gangs and thugs".

"This is the formalisation of a partnership — a standing body within the Australian government which will day in, day out, hunt down the scumbags who are responsible for these malicious crimes against innocent people," she said. "The smartest and toughest people in our country are going to hack the hackers...."

Australian Federal Police Commissioner Reece Kershaw on Friday said officers were also working with Interpol to track down the criminals. "We know who you are," he said. "The AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system."

One Australian think tank told the Associated Press that the breach was caused by a stolen username and password, sold on a Russian dark web forum. "In a tweet, Australian Prime Minister Anthony Albanese, whose own Medibank data was stolen, said the Australian Federal Police knows where the hackers are and are working to bring them to justice," reports TechCrunch: The cybercriminals claimed that they initially sought $10 million in ransom from Medibank before reducing the sum to $9.7 million, or $1 per affected customer, the blog said. "Unfortunately, we expect the criminal to continue to release stolen customer data each day," Medibank CEO David Koczkar said on Friday. "These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care."
Thanks to long-time Slashdot reader schwit1 for sharing the story.
This discussion has been archived. No new comments can be posted.

After Ransomware Gang Releases Sensitive Medical Data, Australia Vows Consequences

Comments Filter:
  • Consequences? (Score:4, Insightful)

    by Opportunist ( 166417 ) on Saturday November 12, 2022 @11:43AM (#63045627)

    The Australian government is going to "hunt down the scumbags" responsible for the Medibank hack that compromised the private information of nearly 10 million customers

    That should be trivial, check the C-Levels of the Medibank, you'll find them there.

  • Paper Tiger (Score:5, Insightful)

    by Petersko ( 564140 ) on Saturday November 12, 2022 @11:47AM (#63045631)

    If righteous indignation and threats were enough, the trend would be over. They're just pissing in the wind.

  • Seems like a smart idea. Publicly calling out the hackers seems like an invitation for round 2

  • If the government is serious about stopping these sorts of crimes, they will devote some resources to preventing them from happening again. It isn't enough to pass a law saying that medical data must be secure, there also needs to be money to hire experts to make it secure. In addition, the people who will suffer a decrease in convenience as a consequence of the increased security need to be prevented from sabotaging it.

    • If the government is serious about stopping these sorts of crimes, they will devote some resources to preventing them from happening again. It isn't enough to pass a law saying that medical data must be secure, there also needs to be money to hire experts to make it secure.

      That "money" you speak of sits in CxOs bonus checks, not in the IT/Cybersecurity department. CxO salaries tend to prove money isn't the issue. It's gambling with security with zero fucking accountability that is the issue.

      And those "resources" you speak of may not be so welcome in 2 years after taxpayers fund a billion-dollar hacker-hunting program that can't actually catch hackers and results in zero change other than shitty taxes.

      • If the government is serious about stopping these sorts of crimes, they will devote some resources to preventing them from happening again. It isn't enough to pass a law saying that medical data must be secure, there also needs to be money to hire experts to make it secure.

        That "money" you speak of sits in CxOs bonus checks, not in the IT/Cybersecurity department. CxO salaries tend to prove money isn't the issue. It's gambling with security with zero fucking accountability that is the issue.

        And those "resources" you speak of may not be so welcome in 2 years after taxpayers fund a billion-dollar hacker-hunting program that can't actually catch hackers and results in zero change other than shitty taxes.

        Health care is heavily regulated. Those regulations can be tightened. The cost of ignoring them can be made larger than the cost of hiring someone to make sure they are followed. In the best case, providers of medical care can come up with some "best practices" and good documentation on how to follow them.

        • by ArmoredDragon ( 3450605 ) on Saturday November 12, 2022 @03:23PM (#63046029)

          While I can't speak for Australia, I worked cybersecurity in a HIPAA environment for 6 years. In the US, it already costs a lot more. But that does nothing to help you when low level employees do shit they're not supposed to do and even blatantly violate our own security policies that they agreed to follow. Fortunately we employed many technical measures to minimize the impact when they do, and indeed there was an incident where malware was deployed to one of our servers, and fortunately a technical measure prevented it from being able to do anything meaningful.

          However, those technical measures are NOT foolproof. Had the attacker used just a little more care in what he was doing, he probably could have gotten somewhere. If he had, idiots on slashdot would probably blame the management and rsilvergun would say that corporate greed was the cause (despite that the company I worked for was a nonprofit) and that this is why we need communism under a benevolent dictatorship, etc. And while I'm not management, I know it wouldn't have been their fault, though even internally they'd still bear the brunt of the blame.

          Anyways, stop being an armchair politician armchair manager when you know fuck all about either the topic at hand or even a single fucking thing about the realities of what's involved in protecting patient data while simultaneously enabling health care practitioners to be able to access that data to do their jobs.

          • Anyways, stop being an armchair politician armchair manager when you know fuck all about either the topic at hand or even a single fucking thing about the realities of what's involved in protecting patient data while simultaneously enabling health care practitioners to be able to access that data to do their jobs.

            It is certainly not easy to simultaneously protect patient data and enable health care practitioners to do their jobs. However, the current state of the art has room for improvement, recognizing that perfect security is not achievable. For example, you can segregate patient data so that a health care practitioner only has access to the data he needs to do his job. You can fire people who refuse to follow the security protocols, even if they are doctors.

            • That's not as straightforward as it sounds. Yes, we do monitor when non-practitioners access data, and if they do without any legitimate reason to, which is almost never, then they've got some splainin to do. For actual practitioners, things get a lot more complicated. You can't just say they don't get access until they need it, namely because -- especially in a hospital setting -- they could need access to it at just any time. Ultimately in everything IT, what took top priority was always whether something

              • That's not as straightforward as it sounds. Yes, we do monitor when non-practitioners access data, and if they do without any legitimate reason to, which is almost never, then they've got some splainin to do. For actual practitioners, things get a lot more complicated. You can't just say they don't get access until they need it, namely because -- especially in a hospital setting -- they could need access to it at just any time. Ultimately in everything IT, what took top priority was always whether something was patient care affecting. If we do anything that negatively impacts patient care, even if that means they so much as can't get access to a band-aid for a minor scrape, then our highest priority is to fix it.

                So when it comes to practitioners, they tend to have wide ranging access to medical records. Not always, but they tend to. We keep records of it. If they access patient data when they weren't involved in treating that patient, there isn't a whole lot we can do to preemptively stop them from doing so, but we can hold them accountable after the fact.

                And yet, closing the barn door after the horse has left does not solve the problem. What if you could do something like this:

                1) Every healthcare provider has a badge with his name and rank. Add to that an RFID chip which identifies the person.

                2) Add to every computer used for patient care an RFID reader. When a healthcare provider approaches a computer it knows who he is, and only requires a 4-digit PIN for login. Being away from a computer for longer than 5 minutes requires entering the PIN again. Mor

                • Trust me this has been thought through heavily. There are many use cases in a hospital that you haven't even begun to touch, including cases where the patient isn't even present, and when the provider doesn't even work for the hospital, which is more common than not. And RFID is super easy to defeat by the way, though ISO 14443 isn't. I've been at this a lot longer than you.

                  • Trust me this has been thought through heavily. There are many use cases in a hospital that you haven't even begun to touch, including cases where the patient isn't even present, and when the provider doesn't even work for the hospital, which is more common than not. And RFID is super easy to defeat by the way, though ISO 14443 isn't. I've been at this a lot longer than you.

                    So what is the solution? How can we prevent this from happening again? Or are you saying that there is no solution, and medical privacy is unachievable?

      • I don't get this "blame the victim" attitude that pervades slashdot when it comes to cyber incidents. There's so such fucking thing as foolproof security. They could have done everything right according to every standard and still been breached. And the C-levels are rarely the reason. It's typically some idiot, often times what I refer to as a low quality IT worker, falling for a phishing scam.

        • In this case, the fault would seem to be a compromised username and password that was not behind multiple forms of authentication to mitigate such a compromise.

          That MFA system was handed out in CxO bonuses over the last few years.

          There's no such thing as foolproof security, you're right. There's also no such thing as idiotproof management.

    • It isn't enough to pass a law saying that medical data must be secure, there also needs to be money to hire experts to make it secure.

      It's almost as if you believe something can be made 100% secure.

      The article summary says this breach was due to a stolen username/password. Which part of your expensive "security plan" would protect you from that?

      Nope. What needs to happen is for governments to get together, hunt these people down, put them in a very dark place for a very long time.

      • by ceoyoyo ( 59147 ) on Saturday November 12, 2022 @12:49PM (#63045729)

        Nothing is 100% secure, but ten million health records remotely accessible with a username and password is pretty bad.

        • Nothing is 100% secure, but ten million health records remotely accessible with a username and password is pretty bad.

          Exactly. In a decently secure environment, a single stolen username and password wouldn't give access to ten million health records with enough bandwidth to exfiltrate all of them before everyone whose records are compromised dies of old age.

          • The whole point of this "we'll find the bad cobbers" noise is deflect questions on exactly that point.

            • The whole point of this "we'll find the bad cobbers" noise is deflect questions on exactly that point.

              My hope is that, in addition to making the noise, they will actually try to fix the problem.

              • They'lll spend the minimum resource fixing this issue, or some part of it. But unless C level people go to jail, t'will happen again.

                • They'lll spend the minimum resource fixing this issue, or some part of it. But unless C level people go to jail, t'will happen again.

                  Perhaps I am a starry-eyed optimist, but I believe that if suffering the problem costs more than fixing it, the money will be found to fix it.

        • by NewtonsLaw ( 409638 ) on Saturday November 12, 2022 @04:21PM (#63046125)

          So true... I mean... who doesn't use MFA these days for this kind of data?

          Just a login name and password is totally insufficient for this level of data security. Even Google forces TFA for something as trivial as YouTube accounts these days!

  • Standard.... (Score:4, Interesting)

    by Kelxin ( 3417093 ) on Saturday November 12, 2022 @12:01PM (#63045653)
    More of the standard "we have no clue what we're talking about, so we're going to make threats to impress the public but this will have no effect on anyone that actually had a part in what happened".. Governments, medical organizations, etc need to get it through their head. If it's accessible from the Internet, it will be accessed by people you don't want to have access. If a total data dump is not acceptable then the software needs to be programmed from the start to not allow that. Perhaps what we need it a dual internet system. One that allows unauthenticated communication such as vpns and random IP communication and another that only allows certified and verified source and destination communication such as having a "user cert and server cert" from a single entity that actually verifies ownership and if you don't have that cert you can't communicate on that network.
    • What you've described is not possible, at least for the amount of money you're willing to spend. With enough money, Medibank could buy every client and supplier a computer and provide a network connection, essentially buiding a private network. Anything else would not meet your 'separation' requirements. Is it possible? Yes. Is it cost effective? That depends on whether you ask before or after the leak.

      • What you've described is not possible, at least for the amount of money you're willing to spend. With enough money, Medibank could buy every client and supplier a computer and provide a network connection, essentially buiding a private network.

        Sure, right up until the gang uses the $5 wrench attack.

        https://xkcd.com/538/ [xkcd.com]

      • Re: Standard.... (Score:4, Interesting)

        by Kelxin ( 3417093 ) on Saturday November 12, 2022 @01:12PM (#63045775)
        So you're saying that every client and every provider needs unfettered access to every single data record in a system? I figure token based encryption per user could fix much of it, and IP based lock downs for providers would fix much of the rest.
      • Also, on the "building a new Internet", I'm thinking more like SSL + Twitters blue check. Don't have a "blue check ssl", can't access a server. Have a blue check but not granted access to a server, then no access. Kind of like SSH keys for remote terminals, but the SSH key is only handed out to verified people, only works from specific regions, and includes all of that information encrypted into the cert along with a hash value. Something like id.me could be used to verify identities with certain case
    • by ceoyoyo ( 59147 )

      only allows certified and verified source and destination communication such as having a "user cert and server cert" from a single entity that actually verifies ownership and if you don't have that cert you can't communicate on that network.

      Unless you're worried about quantum computers or something eventually breaking your encryption, that's a properly configured VPN, maybe with an authentication dongle. No need to "build another Internet." Unless you're looking for VC funding of course.

  • If it was remotely possible to track down the people behind ransomware attacks, ransomware attacks would have stopped long ago.
  • Until it happens to you. Albanese, I'm looking at you.

    I am f#cking choking on popcorn here. What a time to be alive.
    • by jaa101 ( 627731 )

      What are the chances that none of Albanese (the Prime Minister) and the other members of his government are insured with Medibank? There are probably journalists and others scouring the data that have been released already looking for juicy stories on public figures.

      • What are the chances that none of Albanese (the Prime Minister) and the other members of his government are insured with Medibank?

        The same chance that you actually read the summary...

        Australian Prime Minister Anthony Albanese, whose own Medibank data was stolen,

        0 %
        No chance.

      • by hoofie ( 201045 )

        Albanese has said he was a Medibank customer as are probably quite a lot of the Government. It's very common to have Private Medical Insurance in Australia as a "top-up" to the main system called Medicare as the tax system hits you harder if you earn more money and don't have Private Insurance.

        Politicians in Australia are much more "normal" on all sides of politics as the elevated special-being status they hold in the US would go down like a cup of cold sick here. The "man-or-women-of-the-people" image is c

  • by devslash0 ( 4203435 ) on Saturday November 12, 2022 @12:32PM (#63045691)

    Despite knowing quite well that there will be a number of "data casualities" along the way, not paying ransoms is the only way to disincentivise the use of ransomware, regardless of the consequences.

    • 1st comment to mention that, they did the right thing are are being clobbered for it. Never pay the Dane. Killing the criminal ponzi crypto system would sure slow this theft down even if the hacker scum are unindictable. Let's do that. Kill crypto and it grinds to a halt. And nothing of value would be lost since crypto's uses are all evil, not to mention its production. And never see yawning apes in hats again.
  • Offers popcorn to others.

    This ought to be interesting.

  • by Rick Schumann ( 4662797 ) on Saturday November 12, 2022 @12:35PM (#63045697) Journal
    These are likely Putins' boys, very likely even Russian military, looking to squeeze money out of Western countries to fund the illegal war of aggression against Ukraine, so sadly this Australian threats against them has no real teeth, Russia won't do shit about it even if they came up with names and evidence to back that up.
    What they should be focusing on is better protection of critical systems to start with.
    • These are likely Putins' boys, very likely even Russian military, looking to squeeze money out of Western countries to fund the illegal war of aggression against Ukraine, so sadly this Australian threats against them has no real teeth, Russia won't do shit about it even if they came up with names and evidence to back that up.

      So they are safe so long as they never leave Russia. If they ever visit the West then rendering them to a black site would be totally fine.

      Also, If Russia is to blame, then hacking Russian infrastructure is also fair game.

  • by nanoakron ( 234907 ) on Saturday November 12, 2022 @12:42PM (#63045711)

    Nobody thinking about prosecuting or imprisoning the people responsible for shoddy security in the first place?

    Until that happens, nothing will change.

    • Nobody thinking about prosecuting or imprisoning the people responsible for shoddy security in the first place?

      Putting the cart before the horse don't you think? What makes you so sure this was shoddy security practice? If you think that something can be made 100% secure then you're part of the problem that leads to security exploits.

    • As long as you're not targeting the actual IT people.... They're just following orders and pay checks. It's the upper management that always says "good enough, cheap enough, fast enough". You tell management that it will take 3 months to do something right and they'll come back that they want it in two weeks.
    • So hospital security is equal to Russian state supported hacker cyber security attacks? They didn't fend off Putin so off with their heads.
  • That's the only solution. If or when nefarious people get their hands on sensitive data, it will be of no value to them or anyone else because they lack the keys to decrypt it. It is logistically easier to secure a small amount of data (the keys) than it is to secure potentially many gigabytes or terabytes worth of sensitive information.
  • Hack the hackers back for payback and why isn't this done every time. Make them hurt .
  • Australia: A country that unwisely went with secret blacklists and centralized netnanny control in their effort to clean up and censor the internet in keeping with those pristine Australian values that only politicians at election time espouse.

    Australia: A country with what appears to be actual clowns in government office.

    Australia: Not only an easy target for hackers, but one that actually serves a deeper purpose re: the consequences of censorship and tyranny.

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...