The Office of the Australian Information Commission (OAIC), which is responsible for upholding privacy and information access rights in the country, has taken Medibank to court over its October 2022 data breach incident.
The OAIC confirmed that it has filed civil penalty proceedings in the Federal Court against the insurer because it allegedly interfered with the privacy of 9.7 million Australians by failing to protect their personal information from unauthorised access or disclosure of breach of the Privacy Act 1988.
“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” said acting Australian Information Commissioner Elizabeth Tydd. “We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”
The OAIC filed civil penalty proceedings against Medibank after its investigation – initiated by Australian Information Commissioner Angelene Falk – of the data breach in which one or more cyber criminals accessed the personal information of millions of the insurer’s current and former customers.
“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” Tydd said.
Privacy Commissioner Carly Kind emphasised the responsibility of organisations to ensure data security.
“Organisations that collect, use, and store personal information have a considerable responsibility to ensure that data is held safely and securely. That is particularly the case when it comes to sensitive data,” she said. “This case should serve as a wakeup call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”
In January, the Australian government identified Russian national Aleksandr Ermakov as the key figure behind the Medibank cyberattack and imposed financial sanctions against him. Australian intelligence linked Ermakov to a major Russian cybercrime group known for providing hacking tools for beginners in return for a portion of collected ransoms. Experts also claimed that Ermakov likely did not act alone.
In February, the Australian Federal Police (AFP) confirmed that Ermakov had been detained in Russia for his alleged cybercrimes.
During the same month, the OAIC released the findings of its latest analysation of data breaches reported under the Notifiable Data Breaches (NDB) scheme. Covering the latter half of 2023, the report noted an increase in reported data breaches from July 1 to December 31, increasing by 19% to 483 incidents, compared to 407 in the previous six months.
