Every day, the people of NSW offer their personal information to government agencies, which is a significant undertaking of trust. In doing so, they enable the government to provide them with quality, connected services, and the information required to continually improve these services to best meet their needs.
With millions of Australians living out their worst data breach nightmares following the unscrupulous hack on Medibank, the NSW Government will introduce a Bill to Parliament requiring all government agencies to establish greater protections for their customers.
Almost 10 million Medibank customers woke on Thursday to the news their stolen private data, including sensitive information relating to drug addiction and mental health, could be released on the dark web.
The criminal group behind the attack has uploaded the second tranche of data this week, labelled “abortions.csv” and containing details including names, date of birth, Medicare numbers and billing codes that indicate abortion procedures. REvil started releasing data on Wednesday in the form of two documents, titled a “naughty” and a “nice” list.
In a disturbing message posted on the dark web on Thursday, the hackers also revealed they offered a ransom of $US10 million ($15.5 million) to Australia’s largest health insurer to not leak the data. However, Medibank told the group it wouldn’t pay.
“Added one more file abortions.csv …,” the post said.
“Society ask us about ransom, it’s a 10 millions (sic) USD (A$15.5 million). We can make discount 9.7m (A$15 million) 1$ (A$1.60)=1 customer.”
Medibank CEO David Koczkar on Thursday blasted the latest leak as a “malicious” attack on vulnerable Australians, and reassured customers they will have access to support programs, identity protection and financial hardship measures.
“We take the responsibility to secure our customer data seriously and we again unreservedly apologise to our customers,” Koczkar said.
“The weaponisation of people’s private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community.
“The criminal has released an additional file on a dark web forum containing customer data that is believed to have been stolen from our systems. These are real people behind this data and the misuse of their data is disgraceful and may discourage them from seeking medical care.”
Meanwhile, Attorney General Mark Speakman announced on Thursday that NSW will become the first state or territory in Australia to have a “mandatory notification scheme” for its government agencies to ensure a better response to breaches of personal data. The change comes in the wake of this week’s Medibank breach and the hack on Optus in September.
The Privacy and Personal Information Protection Amendment Bill 2022 will be introduced this month, and if passed will require agencies to keep logs of serious breaches, make “reasonable attempts” to mitigate the harm done by a data breach, and alert affected people. The agencies will also be forced to escalate incidents to the Privacy Commissioner.
The changes will apply to all NSW public sector agencies, including departments, local councils, bodies whose accounts are subject to the Auditor General and some universities.
“Every day, the people of NSW offer their personal information to government agencies, which is a significant undertaking of trust,” Speakman said.
“In doing so, they enable the government to provide them with quality, connected services, and the information required to continually improve these services to best meet their needs.
“In return, the government has a responsibility to effectively and proactively protect and respect that personal information.
“Agencies will also have to satisfy a number of data management requirements, including making reasonable attempts to mitigate the harm done by a data breach, maintaining an internal data breach incident register, and having a publicly accessible data breach policy.”
Minister for Customer Service and Digital Government Victor Dominello said he hopes the Bill will provide greater certainty for the public about the safety of their data when breaches occur.
“The protection of people’s privacy is crucial to ensure public confidence in NSW Government agencies. It is imperative that the highest standards of privacy and security prevail to safeguard data,” Dominello said.
“The NSW Government has made significant investments to protect citizens’ data, including funding $315 million to bolster our cyber systems and by launching ID Support NSW to help those impacted by identify theft.”
The Bill will also expand the Privacy and Personal Information Protection Act 1998, including the new Scheme, to cover all NSW state-owned corporations not subject to Commonwealth privacy laws.