Corporate insurers routinely pay hackers a ransom for the return of stolen customer data, according to a top Australian government cybersecurity provider, as the country's largest health insurer revealed the growing scope of a recent breach on Oct 25.
The claim from Macquarie Telecom, which manages cybersecurity for 42% of Australian federal employees, including the Australian Taxation Office, suggests a lack of preparedness in an industry that has been in the spotlight recently due to a wave of high-profile hacks.
"These are the largest corporations in the world, falling over themselves to pay criminals as fast as possible to cap their liability," Macquarie CEO David Tudehope told Reuters in an interview, referring to cyber insurance firms that he did not name. "In what other sphere of life do you see reputable corporates pay millions of dollars to criminals and somehow it's all okay?"
Insurers that paid ransom to hackers had no way of ensuring data deletion, which meant sensitive customer information remained at risk of being exposed online, according to Tudehope.
This month, Medibank Private, Australia's largest health insurer, revealed that a criminal had stolen the personal health data of 100 of its 4 million customers and demanded payment for the data's return. On Tuesday, Medibank announced that the criminal had revealed the personal information of another 1,000 customers, and that the number was likely to grow.
Optus, the country's No. 2 telco, said last month that a hacker demanded payment after stealing data from about 10 million customer accounts, equivalent to 40% of the Australian population.A person claiming to be the Optus hacker later withdrew the demand due to privacy concerns. Meanwhile, the federal government has announced that companies that suffer data breaches will face fines of up to A$50 million.
"This is an enormous wake-up call for the country," Cyber Security Clare O'Neil told parliament. "We need to do more as a country to step up."
O'Neill added that a national crisis management group formed during the COVID-19 outbreak was activated on Saturday and has met three times to discuss the Medibank hack. Tudehope, the CEO of Macquarie Telecom, declined to comment on specific incidents, but blamed underprepared cybersecurity chiefs who were too focused on internal stakeholder management and overly reliant on all-in-one protections such as firewall software.
"The challenge in cyber is it just changes so quickly and the people in senior management who, in many cases, do not have the background in cybersecurity because it wasn't a thing as they worked their way up through their career," Tudehope said.
"They're making decisions they don't have a strong understanding of in many cases," he added. "The people who have a deeper level of IT security (knowledge) are often at junior or middle levels of an IT department or government agency."
As per Tudehope, most businesses will face cyber attacks and should have a recovery plan in place, such as having confidential data backed up frequently in a separate location to ensure hackers cannot access it.