Get wise on data or Medibank could happen to you

In a series of dark web blog posts, the REvil cybercrime gang this month began leaking thousands of private records stolen from Australia’s largest private health insurer Medibank.

The data dump was the result of Medibank’s refusal to pay a ransom demanded by the gang last month when 9.7 million of its current and former customers were exposed to a cyberattack that nabbed personal data such as name, address, date of birth and gender, along with significant amounts of sensitive health claims data.

Medibank said the hack might cost the company between $25 million-$35 million so it’s safe to say the insurer’s leaders are feeling a plethora of emotions after this debacle – from guilt, nervousness and fear to desperation, trepidation and, hopefully, contrition.

Australian cybersecurity minister Clare O’Neil called the cybercriminals “disgraceful human beings” for leaking the records but praised Medibank for being consistent with government advice and refusing to pay up in the event of a ransomware attack.

We are well past the point of issuing a “wake-up call” for businesses.

No matter how valuable a company believes its data is, they should quadruple that estimate – and then double it again.

This Medibank breach is not just about data; what sets it apart is that it involved confidential health data. Stealing this kind of data can have direct and even deadly consequences for at-risk people. If a company is collecting such data, it can’t simply be treated as a line item on the annual report – data like this is arguably the most important intangible asset a firm can possess.

In fact, as companies find new ways to merge, mix and holistically connect all sorts of seemingly innocuous data so they can generate better customer insights, every data pool now has the potential to be enormously damaging for real people should it ever leak to cybercriminals.

Think of the opportunities for manipulation, threats, extortion and impersonation that criminals now have because of the Medibank data theft. Likewise, there are bound to be rival businesses keen to see the insurer’s data as well so they can leap ahead of Medibank.

Of course, the only way to be 100% safe from cyberattacks is to not collect any customer data whatsoever. After all, if there’s nothing to steal, then criminals will move on to a juicier target. But too many companies have bet the house on capturing as much customer data as possible, so that solution would be economic suicide.

On the other hand, protecting a critical intangible asset like data is a cat-and-mouse game in which businesses compete with two hands and a foot tied behind their backs, while the cats can reach out to touch their prey from anywhere in the world. No matter what a company does to protect its data, there will always be a hacker working on a workaround. It’s an unfair game.

But that’s no excuse for complacency, especially when people’s lives and livelihoods are at risk.

Business leaders have two choices for solving the thorny problem of data: put in the hours to understand how to use and protect it or ignore the issue and hope roving cyber pirates don’t stumble across a database vulnerability.

As Medibank is now painfully aware, when (not if) a breach occurs companies across the world are likely to be subject to fines and – perhaps worse – the reputational hammer blow that comes from customers leaving in droves.

Many more governments will certainly be looking at the Medibank breach, along with other cyberattacks that occurred this year, and drafting up new plans to clamp down on firms that may be dragging their feet when it comes to protecting the personal data of citizens.

For example, the Australian government last month said it would increase the maximum penalties under the Privacy Act 1988 for serious repeated privacy breaches from the current $AU2.22 million, to either $AU50 million, 3x the value of the stolen data or 30% of adjusted revenue turnover in the relevant period, whichever is greater.

Back over the Tasman, even though New Zealand’s government updated its Privacy Act back in 2020, the maximum fine for a serious data breach is still a puny $10,000. By comparison, health and safety breaches can cost a company between $500,000 and $3 million. After the Medibank hack, it should now be clear that stolen health data can be as damaging as falling off a ladder.

The legislative landscape in the US is more nuanced since rules differ between states. But penalties for cyber breaches can range from $US1.5 million per year (or $US50,000 per stolen data record) and 1-10 years in prison under the HIPAA laws to $US100,000 for each violation and a $US10,000 fine for the directors, along with up to five years in prison, under the GLBA laws.

In the Information Age, it’s hard to believe any leader doesn’t understand the value of data. But apparently, dinosaurs still roam the earth. Worried business leaders that are reading about Medibank’s failure this week are advised to do three things – these are not optional:

• At a minimum, understand you are a custodian of a highly valuable intangible asset;
• Go shopping for the best ways to protect your data. No protection is perfect, but a hard target is less attractive than low-hanging fruit;
• Brainstorm ways to commercialise your data. Like money, data is useless until it is put to work.

The biggest lesson of Medibank’s troubles is that CEOs at every level must put more effort into understanding, defending and commercialising their greatest intangible asset – the data. Someone is bound to eventually squeeze value from your data. Make sure that’s you and not the bad guys.

Originally published on NZ Management Magazine