Recent Data Breaches Prompt Big Changes in Australian Privacy Penalties

Two massive data breaches exposing the personal information of millions of Australians rocked the country—one in September and another in October— prompting Australia’s parliament to swiftly respond with dramatic increases to penalties allowable under its Privacy Act.

In September, telecom company Optus made public news of a cyber-attack that had compromised its customers’ data—9.8 million customers, to be more precise.[i] The data included names, addresses, phone numbers, and dates of birth. For some customers, more sensitive information was exposed that included driver’s license, passport, and even Medicare ID numbers.[1] Fortunately, for Optus and its customers—active and inactive—no login credentials or credit card details were exposed.

Optus initially described the breach as a sophisticated hack,[ii] though Australian officials have been publicly critical of this claim.[iii] Such skepticism may be partially due to a statement by the hacker claiming responsibility that the data was accessed through an API that was open to the internet, and with no authentication credentials needed for access.[iv]

The alleged hacker ultimately released the personal information of around 10,000 individuals to a forum frequented by the less reputable side of the internet. Oddly enough, the hacker then apologized several days later and removed the data, although this was too late to prevent others from copying and continuing to distribute it on some shadier parts of the web.[v] There’s still a risk the remaining data could be sold—although the hacker claims to have deleted their only copy—and many Australians have already obtained replacement identification, placed credit holds, and taken other measures to protect themselves.

Breach No. 2

Not to be outdone, hackers responsible for the October breach accessed and stole the data of 9.7 million customers from Medibank, an Australian health insurer. Current reports indicate the breach may have occurred using stolen credentials from someone with high-level access at the company. These credentials were used to access its systems and create backdoors through which the data was exfiltrated.[vi]

Medibank alerted the public in October of a cyber security incident but claimed it had seen no evidence customer records had been accessed or removed[vii] —a positive outlook that was quickly crushed when hackers contacted the insurer to demand payment to prevent their release of the stolen data. The hackers then began releasing samples of the information and continued to pressure Medibank to pay a ransom.[viii]

Citing expert advice that any ransom payment would likely not prevent the data’s release and would encourage further attacks, Medibank refused to pay.[ix] Subsequently, the hackers released all of the stolen raw data in dumps to the dark web.[x] Although Australians were again spared from having their login credentials and payment details exposed, the breach included health claims data for hundreds of thousands of individuals, including diagnosis and treatment codes.

Adding to the headache suffered by the millions of impacted Australians, scams using the Optus and Medibank breach responses as a pretense to steal more sensitive information have exploded. These show no sign of stopping anytime soon.

The massive scale of the breaches, coupled with a lack of personal information safeguards and the public’s ire appears to have given Australia’s parliament momentum to pass amendments to the country’s Privacy Act. The legislation made it through both houses of parliament in just over a month and became law on Dec. 13, 2022. The amendment contains a drastic penalty, which is sure to haunt the nightmares of businesses across Australia.

Privacy Act Penalty Increases

Previous penalties for “serious and repeated interferences with privacy” maxed out at about $2.2 million AUD; however, that’s only if a court imposes a provision of the Crimes Act that allows penalties against a corporate body up to five times the maximum penalties allowed against a natural person. For natural persons, the prior penalties maxed out at about $444,000 AUD.

Under the new law, natural persons may be fined up to $2.5 million AUD. Corporate bodies are subject to MUCH steeper penalties, which can reach $50 million AUD or more.

Unfortunately, for those looking for a comeuppance for Optus and Medibank, the new penalty provisions will only apply to violations that happen after the amendments went into effect.

Other Changes to Australia’s Privacy Act

The amendments also broaden the powers Australia’s information commissioner has to obtain information and documents relating to data breaches, as well as provide broader information-sharing abilities between government authorities to facilitate better data breach responses.

It is unlikely that changes to the Privacy Act will stop there with amendments, though. The Australian attorney general has been conducting a review of the law since 2019, with a final report due by the end of 2022. The impact of the two breaches is likely to add support for any further recommended changes, particularly if they relate to enforcement or data subject rights. The breaches may also prompt support for the addition of a private right of action for individuals damaged by a failure to protect their personal data.

Conclusion

Australia’s privacy law has and may continue to see some significant changes, and businesses subject to it would be well served to take stock and ensure their own privacy practices and policies are defensible, practical, and compliant.

 

[1] Medicare is Australia’s publicly-funded universal health care insurance system.

[i] Optus “Latest updates & support on our cyber response” https://www.optus.com.au/support/cyberresponse/#latest

[ii] Sydney Morning Herald “’Sophisticated attack’: Optus hackers used European addresses, could be state-linked”, September 23, 2022

https://www.smh.com.au/technology/sophisticated-attack-optus-hackers-used-european-addresses-could-be-state-linked-20220923-p5bkfn.html

[iii] Ibid.

[iv] iSMG “Optus Under $1 Million Extortion Threat in Data Breach” Jeremy Kirk, September 25, 2022 https://www.bankinfosecurity.com/optus-under-1-million-extortion-threat-in-data-breach-a-20142

[v] The Guardian “Alleged Optus hacker apologizes for data breach and drops ransom threat” September 27, 2022

https://www.theguardian.com/business/2022/sep/27/alleged-optus-hacker-apologises-for-data-breach-and-drops-ransom-threat

[vi] Australian Financial Review “Revealed: how crooks got inside Medibank” October 24, 2022

https://www.afr.com/technology/revealed-how-crooks-got-inside-medibank-20221024-p5bsg4

[vii] Medibank “Cyber event timeline”, Update at 11 a.m., Thursday, 13 October, Update at 10:30 a.m., Friday 14 October, and Update at 9:30 a.m., Monday 17 October.

https://www.medibank.com.au/health-insurance/info/cyber-security/timeline/

[viii] “Cyber Security Hub “IOTW: Everything we know about the Medibank data leak” November 10, 2022

https://www.cshub.com/attacks/news/iotw-everything-we-know-about-the-medibank-data-leak

[ix] Medibank “Cyber event timeline”, Update at 9 a.m., Monday 7 November

https://www.medibank.com.au/health-insurance/info/cyber-security/timeline/

[x] Id., at Update, Thursday 1 December

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.