Health insurer’s data breach should rejig any short-term memory loss
People are using words like ‘stabilizing,’ ‘maturing,’ and ‘optimism’ in relation to the cyber insurance market – and whether they’re apt terms to describe the current state of the sector or not, I strongly believe this is no time for the industry to relax.
In fact, I’m not sure the cyber insurance industry will ever be able to relax (consider that if you’re seeking a low-stress desk job). The good guys (you, the insurers) are always seemingly one step behind the threat actors. New attack vectors are emerging all the time, and so far, it’s proven impossible to keep up.
So, even if the above stats are true and there was a slight decrease in ransomware activity in the early months of 2022, there will always be a new type of attack keeping business leaders, risk managers, and cyber insurers up at night – not to forget ransomware constantly bubbling under the surface.
Turn your attention to Australia, where the country’s largest private health insurer – Medibank Private Ltd., which covers approximately one-sixth of Australians – is struggling with a crippling cyberattack. This wasn’t a ransomware attack (although a ransom was demanded); it was a data breach in which hackers exposed hackers exposed the private information of around 9.7 million current and former Medibank customers and some of their authorized representatives.
Medibank first announced it had detected “unusual activity” on its internal systems on October 13, but it dealt with the cyberattack and initially reported “no evidence that customer data had been accessed” during the breach. The narrative changed on October 17, when a malicious party – now believed to be a rebrand of the defunct Russian ransomware group REvil – threatened to leak Medibank customers’ private medical data unless the insurer paid a ransom.
On November 7, the private health insurer said it will not pay a ransom – a decision endorsed by Australian Home Affairs Minister Clare O’Neil – but by November 10, the hackers had released private medical information on the dark web, including a file labelled “abortions” and a “naughty-list” file reportedly including details of people who had sought medical treatment for HIV, drug addition, alcohol abuse, or for mental health issues.
What a catastrophe. And the toughest part is, Medibank did everything seemingly by the book. Since its initial breach report on October 13, the health insurance giant has shared regular updates on the situation (including when new private medical data is leaked), the status of its investigation, and it has provided hotlines, assistance, and critical response tools for victims.
Medibank’s decision not to pay a ransom was endorsed by the Australian government, but despite the Australian Minister of Home Affairs Clare O’Neil warning the “scumbags behind this attack” that “the smartest and toughest people in this country are coming [at] you” during question time in Australian parliament on November 10, the hackers keep leaking more data. They’re laughing at us.
The Medibank data breach is a very significant and complex event, which (at the time of writing) is still unfolding. No doubt, when it has finally reached its conclusion, this mega breach will provide learning opportunities for insurers, brokers, and business leaders worldwide.
For now, I hope that it rejigs people’s memories. Even if your country or your market has been lucky enough to experience a plateau or a decline in cyber insurance losses through 2022, or a drop in the frequency and/or severity of ransomware attacks, others, like Australia, have not been as fortunate.
There will always be someone, somewhere, on the receiving end of criminal cyber activity. It’s the nature of the risk, and we are all exposed. I cannot fully embrace the optimism I’ve heard of in the cyber insurance marketplace when the next business-ending or state-stalling attack is likely right around the corner.