After Ransomware Gang Releases Sensitive Medical Data, Australia Vows Consequences (sbs.com.au) 58
Last week Australia's bigest health insurer, Medibank, said that data on all 4 million of its customers was breached. Now the group behind that breach "have since released more sensitive details of customers' medical records on the dark web, including data on abortions and alcohol issues," reports Australia's public broadcaster.
Their article points out that the release "follows Medibank's refusal to pay a ransom for the data, with almost 500,000 health claims stolen, along with personal information." But what's really interesting is that article's headine:
" 'Hunt down the scumbags': Australian government to 'hack the hackers' behind Medibank breach" The Australian government is going to "hunt down the scumbags" responsible for the Medibank hack that compromised the private information of nearly 10 million customers, cyber security minister Clare O'Neil said.... "Around 100 officers around these two organisations will be a part of this joint standing operation, and many of these officers will be physically co-located from the Australian Signals Directorate," she said. Ms. O'Neil said the officers will "show up to work every day" with the "goal of bringing down these gangs and thugs".
"This is the formalisation of a partnership — a standing body within the Australian government which will day in, day out, hunt down the scumbags who are responsible for these malicious crimes against innocent people," she said. "The smartest and toughest people in our country are going to hack the hackers...."
Australian Federal Police Commissioner Reece Kershaw on Friday said officers were also working with Interpol to track down the criminals. "We know who you are," he said. "The AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system."
One Australian think tank told the Associated Press that the breach was caused by a stolen username and password, sold on a Russian dark web forum. "In a tweet, Australian Prime Minister Anthony Albanese, whose own Medibank data was stolen, said the Australian Federal Police knows where the hackers are and are working to bring them to justice," reports TechCrunch: The cybercriminals claimed that they initially sought $10 million in ransom from Medibank before reducing the sum to $9.7 million, or $1 per affected customer, the blog said. "Unfortunately, we expect the criminal to continue to release stolen customer data each day," Medibank CEO David Koczkar said on Friday. "These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care."
Thanks to long-time Slashdot reader schwit1 for sharing the story.
Their article points out that the release "follows Medibank's refusal to pay a ransom for the data, with almost 500,000 health claims stolen, along with personal information." But what's really interesting is that article's headine:
" 'Hunt down the scumbags': Australian government to 'hack the hackers' behind Medibank breach" The Australian government is going to "hunt down the scumbags" responsible for the Medibank hack that compromised the private information of nearly 10 million customers, cyber security minister Clare O'Neil said.... "Around 100 officers around these two organisations will be a part of this joint standing operation, and many of these officers will be physically co-located from the Australian Signals Directorate," she said. Ms. O'Neil said the officers will "show up to work every day" with the "goal of bringing down these gangs and thugs".
"This is the formalisation of a partnership — a standing body within the Australian government which will day in, day out, hunt down the scumbags who are responsible for these malicious crimes against innocent people," she said. "The smartest and toughest people in our country are going to hack the hackers...."
Australian Federal Police Commissioner Reece Kershaw on Friday said officers were also working with Interpol to track down the criminals. "We know who you are," he said. "The AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system."
One Australian think tank told the Associated Press that the breach was caused by a stolen username and password, sold on a Russian dark web forum. "In a tweet, Australian Prime Minister Anthony Albanese, whose own Medibank data was stolen, said the Australian Federal Police knows where the hackers are and are working to bring them to justice," reports TechCrunch: The cybercriminals claimed that they initially sought $10 million in ransom from Medibank before reducing the sum to $9.7 million, or $1 per affected customer, the blog said. "Unfortunately, we expect the criminal to continue to release stolen customer data each day," Medibank CEO David Koczkar said on Friday. "These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care."
Thanks to long-time Slashdot reader schwit1 for sharing the story.
Consequences? (Score:4, Insightful)
The Australian government is going to "hunt down the scumbags" responsible for the Medibank hack that compromised the private information of nearly 10 million customers
That should be trivial, check the C-Levels of the Medibank, you'll find them there.
Re: (Score:2)
I've got a nice crisp $5 bill that says they're State-funded, and in fact likely Russian military. Putin will do just about anything to fund his illegal war of aggression against Ukraine.
Re: (Score:2)
It is. Whether it is or not.
Paper Tiger (Score:5, Insightful)
If righteous indignation and threats were enough, the trend would be over. They're just pissing in the wind.
Poke the bear (Score:2)
Seems like a smart idea. Publicly calling out the hackers seems like an invitation for round 2
Re: (Score:2)
Yep, common bring on round two, maybe I can sweeten the deal with some ... honey?
Sincerely
ASD (The Australian equivalent of the NSA).
Re: Poke the bear (Score:2)
Its a desperate plea to deter them from releasing more of the data the company leaked.
put your money where your mouth is (Score:5, Insightful)
If the government is serious about stopping these sorts of crimes, they will devote some resources to preventing them from happening again. It isn't enough to pass a law saying that medical data must be secure, there also needs to be money to hire experts to make it secure. In addition, the people who will suffer a decrease in convenience as a consequence of the increased security need to be prevented from sabotaging it.
Re: (Score:3)
If the government is serious about stopping these sorts of crimes, they will devote some resources to preventing them from happening again. It isn't enough to pass a law saying that medical data must be secure, there also needs to be money to hire experts to make it secure.
That "money" you speak of sits in CxOs bonus checks, not in the IT/Cybersecurity department. CxO salaries tend to prove money isn't the issue. It's gambling with security with zero fucking accountability that is the issue.
And those "resources" you speak of may not be so welcome in 2 years after taxpayers fund a billion-dollar hacker-hunting program that can't actually catch hackers and results in zero change other than shitty taxes.
Re: (Score:2)
If the government is serious about stopping these sorts of crimes, they will devote some resources to preventing them from happening again. It isn't enough to pass a law saying that medical data must be secure, there also needs to be money to hire experts to make it secure.
That "money" you speak of sits in CxOs bonus checks, not in the IT/Cybersecurity department. CxO salaries tend to prove money isn't the issue. It's gambling with security with zero fucking accountability that is the issue.
And those "resources" you speak of may not be so welcome in 2 years after taxpayers fund a billion-dollar hacker-hunting program that can't actually catch hackers and results in zero change other than shitty taxes.
Health care is heavily regulated. Those regulations can be tightened. The cost of ignoring them can be made larger than the cost of hiring someone to make sure they are followed. In the best case, providers of medical care can come up with some "best practices" and good documentation on how to follow them.
Re: put your money where your mouth is (Score:4, Interesting)
While I can't speak for Australia, I worked cybersecurity in a HIPAA environment for 6 years. In the US, it already costs a lot more. But that does nothing to help you when low level employees do shit they're not supposed to do and even blatantly violate our own security policies that they agreed to follow. Fortunately we employed many technical measures to minimize the impact when they do, and indeed there was an incident where malware was deployed to one of our servers, and fortunately a technical measure prevented it from being able to do anything meaningful.
However, those technical measures are NOT foolproof. Had the attacker used just a little more care in what he was doing, he probably could have gotten somewhere. If he had, idiots on slashdot would probably blame the management and rsilvergun would say that corporate greed was the cause (despite that the company I worked for was a nonprofit) and that this is why we need communism under a benevolent dictatorship, etc. And while I'm not management, I know it wouldn't have been their fault, though even internally they'd still bear the brunt of the blame.
Anyways, stop being an armchair politician armchair manager when you know fuck all about either the topic at hand or even a single fucking thing about the realities of what's involved in protecting patient data while simultaneously enabling health care practitioners to be able to access that data to do their jobs.
Re: (Score:2)
Anyways, stop being an armchair politician armchair manager when you know fuck all about either the topic at hand or even a single fucking thing about the realities of what's involved in protecting patient data while simultaneously enabling health care practitioners to be able to access that data to do their jobs.
It is certainly not easy to simultaneously protect patient data and enable health care practitioners to do their jobs. However, the current state of the art has room for improvement, recognizing that perfect security is not achievable. For example, you can segregate patient data so that a health care practitioner only has access to the data he needs to do his job. You can fire people who refuse to follow the security protocols, even if they are doctors.
Re: put your money where your mouth is (Score:2)
That's not as straightforward as it sounds. Yes, we do monitor when non-practitioners access data, and if they do without any legitimate reason to, which is almost never, then they've got some splainin to do. For actual practitioners, things get a lot more complicated. You can't just say they don't get access until they need it, namely because -- especially in a hospital setting -- they could need access to it at just any time. Ultimately in everything IT, what took top priority was always whether something
Re: (Score:2)
That's not as straightforward as it sounds. Yes, we do monitor when non-practitioners access data, and if they do without any legitimate reason to, which is almost never, then they've got some splainin to do. For actual practitioners, things get a lot more complicated. You can't just say they don't get access until they need it, namely because -- especially in a hospital setting -- they could need access to it at just any time. Ultimately in everything IT, what took top priority was always whether something was patient care affecting. If we do anything that negatively impacts patient care, even if that means they so much as can't get access to a band-aid for a minor scrape, then our highest priority is to fix it.
So when it comes to practitioners, they tend to have wide ranging access to medical records. Not always, but they tend to. We keep records of it. If they access patient data when they weren't involved in treating that patient, there isn't a whole lot we can do to preemptively stop them from doing so, but we can hold them accountable after the fact.
And yet, closing the barn door after the horse has left does not solve the problem. What if you could do something like this:
1) Every healthcare provider has a badge with his name and rank. Add to that an RFID chip which identifies the person.
2) Add to every computer used for patient care an RFID reader. When a healthcare provider approaches a computer it knows who he is, and only requires a 4-digit PIN for login. Being away from a computer for longer than 5 minutes requires entering the PIN again. Mor
Re: put your money where your mouth is (Score:2)
Trust me this has been thought through heavily. There are many use cases in a hospital that you haven't even begun to touch, including cases where the patient isn't even present, and when the provider doesn't even work for the hospital, which is more common than not. And RFID is super easy to defeat by the way, though ISO 14443 isn't. I've been at this a lot longer than you.
Re: (Score:2)
Trust me this has been thought through heavily. There are many use cases in a hospital that you haven't even begun to touch, including cases where the patient isn't even present, and when the provider doesn't even work for the hospital, which is more common than not. And RFID is super easy to defeat by the way, though ISO 14443 isn't. I've been at this a lot longer than you.
So what is the solution? How can we prevent this from happening again? Or are you saying that there is no solution, and medical privacy is unachievable?
Re: (Score:2)
There are no guarantees in anything. Such is life. You just do what you can with what you have.
Re: put your money where your mouth is (Score:2)
I don't get this "blame the victim" attitude that pervades slashdot when it comes to cyber incidents. There's so such fucking thing as foolproof security. They could have done everything right according to every standard and still been breached. And the C-levels are rarely the reason. It's typically some idiot, often times what I refer to as a low quality IT worker, falling for a phishing scam.
Re: (Score:2)
In this case, the fault would seem to be a compromised username and password that was not behind multiple forms of authentication to mitigate such a compromise.
That MFA system was handed out in CxO bonuses over the last few years.
There's no such thing as foolproof security, you're right. There's also no such thing as idiotproof management.
Re: (Score:3)
It isn't enough to pass a law saying that medical data must be secure, there also needs to be money to hire experts to make it secure.
It's almost as if you believe something can be made 100% secure.
The article summary says this breach was due to a stolen username/password. Which part of your expensive "security plan" would protect you from that?
Nope. What needs to happen is for governments to get together, hunt these people down, put them in a very dark place for a very long time.
Re:put your money where your mouth is (Score:5, Insightful)
Nothing is 100% secure, but ten million health records remotely accessible with a username and password is pretty bad.
Re: (Score:2)
Nothing is 100% secure, but ten million health records remotely accessible with a username and password is pretty bad.
Exactly. In a decently secure environment, a single stolen username and password wouldn't give access to ten million health records with enough bandwidth to exfiltrate all of them before everyone whose records are compromised dies of old age.
a decently secure environment (Score:2)
The whole point of this "we'll find the bad cobbers" noise is deflect questions on exactly that point.
Re: (Score:2)
The whole point of this "we'll find the bad cobbers" noise is deflect questions on exactly that point.
My hope is that, in addition to making the noise, they will actually try to fix the problem.
...they will actually try to fix the problem (Score:2)
They'lll spend the minimum resource fixing this issue, or some part of it. But unless C level people go to jail, t'will happen again.
Re: (Score:2)
They'lll spend the minimum resource fixing this issue, or some part of it. But unless C level people go to jail, t'will happen again.
Perhaps I am a starry-eyed optimist, but I believe that if suffering the problem costs more than fixing it, the money will be found to fix it.
Re:put your money where your mouth is (Score:4, Informative)
So true... I mean... who doesn't use MFA these days for this kind of data?
Just a login name and password is totally insufficient for this level of data security. Even Google forces TFA for something as trivial as YouTube accounts these days!
Standard.... (Score:4, Interesting)
Re: (Score:1)
What you've described is not possible, at least for the amount of money you're willing to spend. With enough money, Medibank could buy every client and supplier a computer and provide a network connection, essentially buiding a private network. Anything else would not meet your 'separation' requirements. Is it possible? Yes. Is it cost effective? That depends on whether you ask before or after the leak.
Re: (Score:2)
What you've described is not possible, at least for the amount of money you're willing to spend. With enough money, Medibank could buy every client and supplier a computer and provide a network connection, essentially buiding a private network.
Sure, right up until the gang uses the $5 wrench attack.
https://xkcd.com/538/ [xkcd.com]
Re: Standard.... (Score:4, Interesting)
Re: Standard.... (Score:2)
Re: (Score:2)
Unless you're worried about quantum computers or something eventually breaking your encryption, that's a properly configured VPN, maybe with an authentication dongle. No need to "build another Internet." Unless you're looking for VC funding of course.
Empty Platitudes (Score:2)
It's not a big deal (Score:2)
I am f#cking choking on popcorn here. What a time to be alive.
Re: (Score:2)
What are the chances that none of Albanese (the Prime Minister) and the other members of his government are insured with Medibank? There are probably journalists and others scouring the data that have been released already looking for juicy stories on public figures.
Re: (Score:2)
What are the chances that none of Albanese (the Prime Minister) and the other members of his government are insured with Medibank?
The same chance that you actually read the summary...
Australian Prime Minister Anthony Albanese, whose own Medibank data was stolen,
0 %
No chance.
Re: (Score:2)
Albanese has said he was a Medibank customer as are probably quite a lot of the Government. It's very common to have Private Medical Insurance in Australia as a "top-up" to the main system called Medicare as the tax system hits you harder if you earn more money and don't have Private Insurance.
Politicians in Australia are much more "normal" on all sides of politics as the elevated special-being status they hold in the US would go down like a cup of cold sick here. The "man-or-women-of-the-people" image is c
Not paying is the right way (Score:5, Insightful)
Despite knowing quite well that there will be a number of "data casualities" along the way, not paying ransoms is the only way to disincentivise the use of ransomware, regardless of the consequences.
Re: Not paying is the right way (Score:1)
Takes some popcorn. (Score:2)
Offers popcorn to others.
This ought to be interesting.
Stops at the Russian border (Score:3)
What they should be focusing on is better protection of critical systems to start with.
Re: (Score:2)
These are likely Putins' boys, very likely even Russian military, looking to squeeze money out of Western countries to fund the illegal war of aggression against Ukraine, so sadly this Australian threats against them has no real teeth, Russia won't do shit about it even if they came up with names and evidence to back that up.
So they are safe so long as they never leave Russia. If they ever visit the West then rendering them to a black site would be totally fine.
Also, If Russia is to blame, then hacking Russian infrastructure is also fair game.
How about the real criminals? (Score:5, Insightful)
Nobody thinking about prosecuting or imprisoning the people responsible for shoddy security in the first place?
Until that happens, nothing will change.
Re: (Score:2)
Nobody thinking about prosecuting or imprisoning the people responsible for shoddy security in the first place?
Putting the cart before the horse don't you think? What makes you so sure this was shoddy security practice? If you think that something can be made 100% secure then you're part of the problem that leads to security exploits.
Re: How about the real criminals? (Score:2)
Re: How about the real criminals? (Score:1)
Encrypt everything. (Score:2)
Hack the hackers back ! (Score:2)
Consequences? (Score:2)
https://www.youtube.com/watch?... [youtube.com]
Karma for the netnanny state (Score:2)
Australia: A country that unwisely went with secret blacklists and centralized netnanny control in their effort to clean up and censor the internet in keeping with those pristine Australian values that only politicians at election time espouse.
Australia: A country with what appears to be actual clowns in government office.
Australia: Not only an easy target for hackers, but one that actually serves a deeper purpose re: the consequences of censorship and tyranny.