Given the Optus & Medibank breaches I thought a dedicated thread for this kind of shit might be in order.
Kelly Bayer Rosmarin the most relieved person in the country at the moment. Medibank with the hold my beer moment… all customers affected and not just with identifying information but with “significant amounts of health claims data” too.
I avoided the Optus one but was a Medibank customer at one point. No claims through them that I can remember so hopefully my exposure on that front is minimal.
Needs to be some swift legislation changes here. I’m surprised there hasn’t been a lot of talk about the metadata retention stuff as that seems to have been a part of why Optus was retaining the ID info they were.
Is it just me or is there an excessive amount of hacking going on. Since the Optus breach, it seems like there’s a report of some company getting hacked every week.
Is it open season for hackers at the moment or are they just realizing how weak most companies’ security processes really are.
Probably more this. Though over the last few years there have been a massive amount of ransomware attacks that are just never heavily publicised because they target business operational data rather than public/customer data.
I think it also gets clicks. The Optus one was a big one that came out and now everyone is wanting to know about the other ones. Do yourself a favour an go to www.haveibeenpwned.com and you’ll see how bad it is
Or is it a case of breaches that have been going undetected are now being picked up?
What’s to say that some of these breaches have been ongoing for quite sometime with the hackers periodically stealing data, selling it and returning for more?
I think the same as everything it runs in trends and defenses are often very reactionary. I suspect (and hey this is supposition from a regular schmuck so take it as you will) that the rise of ransomware attacks meant that companies are more and more prepared for them and/or willing to take a productivity/data hit rather than pay out. Our own benevolent dictator is a perfect example of that right? Fuck it we’ve got backups and we’ll just lose that data. When thats the case you start looking for alternative strategies.
Pretty much every hack is either a procedural failure or human error.
Optus was some fucking idiot leaving a mechanism for querying data wide open to the public and Optus having utterly crap security threat assessment practices so it wasn’t noticed.
Medibank Private was some dumb executive cunt having his login and password recorded somewhere it could be stolen or not taking password maintenance seriously, he also should NEVER had access to that data, he had no fucking business having access to it. They have appalling security practices and frankly shouldn’t be allowed to handle medical data, which has legal obligations for protection, without a complete overhaul of their approach to security, this is fucking unforgiveable.
SFCU was human error, a database password was left on default settings after an upgrade. We don’t have security practices or monitoring since this is a hobby but everyone who touches the back-end knows what they’re doing, but we did have good backups that let us come out of it essentially unscathed.
Most is human error, but it’s not helped by the complete disregard to security which is fairly prevalent in Australia. We’re so far behind, and until more stuff like this happens, people won’t notice/care.
Also hackers are getting more creative. Some of the stuff they do is mind boggling in their search for vulnerabilities.
One good thing about the Optus hack is that lots of commodities have realised how possible it is to be compromised and have stepped up the back end monitoring and audits of systems etc.
Stupid question, but would any of it be due to just the general age of the CEOs for most of these companies and a lack of understanding on IT issues?
Funnily enough, it seems like the government reaction has been very different between Optus and Medibank. Optus was thrown under the bus, whereas Medibank, the focus has been on the “hackers”
Australians are naive on so many things. I.T. security is just one of those things. Being stuck on the other side of the world means we’re insulated from a lot of things and people can get complacent.
It still blows my mind that even while I was doing web development courses less than a decade ago, how many people in them were still unable to discern dodgy links, for example.
Very much so. The other problem is its a cost saving exercise with no tangible profit up front. Put the two together and it’s really hard to get old cunts on board to spend 500k on security which may not ever be used, despite it possibly saving you tens of millions.
Not at all, they’ve managed to embrace cloud, big data, telecommuting, internet based sales, mobile apps and every other technological change that offers them a marketplace advantage just fine, simply put, they just don’t want to spend money on meeting their obligations to protect sensitive data comprehensively.
Time for $10k per affected user fines for businesses who don’t properly look after PII. Fuck them, if they won’t take it seriously without massive consequences, time to bring the hammer. I’d advocate for serious punishment for directors who allow this shit to happen on their watch, but we know that’ll never happen.
Labor have been considering introducing MINIMUM $50m fines for companies who have their data breached without sufficient safeguards. I really hope it will happen, but not always does a proposal get passed in its original form. But I agree, enough is enough. The corporate cowboys don’t deserve to keep getting away with it.