Hacks expose Australia as years behind on cybersecurity

In the past few days the millions of Australian victims of cyberhacking at Optus and Medibank Private must feel like they have woken up in a real-life episode of the tech-horror television series Black Mirror.

The two companies separately announced that their databases had been compromised weeks ago but the extent of the threat is only now becoming clear.

It has emerged that hackers sent a demand for $15 million to health insurer Medibank or they would release the personal data of the 9.7 million customers which the company now says were affected.

After the company refused, the hackers – believed to be based in Russia – have made good on their threat and this week started releasing data of 1,000 Medibank policyholders, reportedly including details of treatment for drug addiction and highly sensitive medical procedures.

Meanwhile, scammers have reportedly used data from the Optus hack to steal tens of thousands of dollars from people’s bank accounts.

Optus on Thursday put aside $140 million in “exceptional expenses” for the “expected costs of actions to prevent harm to customers, such as the replacement of identity documents, and in relation to recovery activities”.

Loading

It is not clear how much further this disaster can spread. “We are going through a difficult period now that may last for weeks, possibly months, not days and hours,” Home Affairs Minister Clare O’Neil said on Thursday.

Some experts warn, for example, that after failing in their attempt to extract cash from Medibank, the hackers will try to blackmail or scam individuals.

Whatever new twists the story takes, it is already obvious that the Australian government and business have seriously underestimated the threat posed by cyberhackers.

While most experts seem to think the companies have done the right thing by rejecting ransom demands, it should not have come to this.

While the companies are victims, they must also bear a share of the blame.

It seems likely that Medibank and Optus and many other companies have not invested enough in cyber security technology.

They have now discovered that this was a false economy. Medibank’s share price has fallen 20 per cent since the attacks as investors appreciate the damage to its brand.

Business risks like these should be incentive enough for far-sighted business leaders to invest more but government action is also necessary to enforce basic standards.

O’Neill said on Thursday Australia is five years behind in its approach to cybersecurity and promised a reform package that is expected to include much tougher fines for companies. The current maximum fine of about $2 million is completely inadequate.

The rules should also give stronger guidelines on what personal data companies can collect and retain. Hackers cannot steal information that companies do not have.

It may be necessary to require companies to encrypt more sensitive information.

The reforms are long overdue and O’Neill should bring them to parliament urgently. The opposition, which was asleep at the wheel when it was in government, should take a constructive attitude.

One small way companies and individuals can help is by refusing to amplify any leaks of personal information. Companies and individuals will only be helping the hackers if they make a big deal out of it or even use it as a reason to victimise the victims of the leaks.

After the hijacking of planes on 9/11, businesses around the world had to spend tens of billions upgrading airport security.

The hacks of the past month, although not comparable in the pain caused, point to the need for a similar sea change in cyber security.

Bevan Shields sends an exclusive newsletter to subscribers each week. Sign up to receive his Note from the Editor.