Medibank’s hack tells us privacy laws need to change

Medibank’s data breach exposes how Australia’s most vulnerable have the most to lose when private information is made public

By Associate Professor Toby Murray and Dr Suelette Dreyfus, University of Melbourne[

Most of us have heard the argument that “if you have done nothing wrong, you have nothing to fear” when it comes to online surveillance.

It’s regularly trotted out in defence of government monitoring and heavy-handed powers granted to law enforcement in the name of protecting us from terrorism and the worst kinds of criminality.

The Medibank hackers claim they demanded a $US9.7 million ransom not to release stolen customer information. Picture: Getty Images

Over the last week or so, the Medibank breach saga has provided ample evidence as to where this argument fails.

Following ransom threats, the purported Medibank hackers published the personal medical information of 100 people – separated between “naughty” and “nice” categories. The “naughty” are those with medical histories some may find embarrassing – including drug dependencies and mental health conditions – while others whose medical histories the hackers decided were more prosaic were deemed “nice”.

Then things turned even nastier, with the hackers claiming to have released a data file called abortions.csv. Then came boozy.csv.

There is a lot to unpack here.

Firstly, the hackers are weaponising the fear of some of the most vulnerable Medibank customers to try to pressure the health insurer to renege on its promise not to pay any ransom demands. The depravity of this behaviour hardly needs stating.

Secondly, the overtones of moral judgement in the attackers’ actions are unmistakable – creating fear and anxiety over details in those health records.

But, more importantly, this tactic highlights how it’s those in society who are already the most marginalised and vulnerable that have the most to lose when their private information is made public without their consent.

Disability rights advocate Elly Desmarchelier spoke eloquently on ABC TV’s The Drum when she explained how people living with a disability must carefully control exactly what information about their disability they reveal and to whom.

The overtones of moral judgement in the attackers’ actions are unmistakable. Picture: Getty Images

This constant battle, she explained, is necessary to reduce the risk of victimisation and discrimination.

That makes perfect sense, as the ongoing Royal Commission into Violence, Abuse, Neglect and Exploitation of People with Disability has made clear, discrimination against people with disabilities remains all too common in Australia today.

Think of any medical condition or medical treatment that is stigmatised, and you’ll have an excellent guide as to the kinds of people likely to find their name on the Medibank hackers’ “naughty” list.

The truth is that we all rightfully have something to hide. And those who society stigmatises or discriminates against have more to hide than most.

It has been less than four months since the US Supreme Court overturned Roe v Wade, which overnight criminalised abortion for a massive fraction of the US population.

A year ago, few American women would have been comfortable revealing whether they had had an abortion, with good reason given the virulence of the anti-choice movement in the US. For many, that choice now has criminal implications.

In a highly polarised society, there’s good reason to hide that you may have engaged in many legal activities that other people object to. When the line between legal and illegal can shift so quickly, hiding what you have done today lest it be criminalised tomorrow seems only prudent.

Those who society stigmatises or discriminates against have more to hide than most. Picture: Getty Images

That the vulnerable and those already victimised have the most to lose from data breaches is not a new observation.

In the wake of the Optus breach, earlier this year many commented on how it was domestic violence victims, for instance, who might be most at risk for having their address details exposed. This is to say nothing of the dangers that might be posed by an abusive or malicious ex-partner who is able to impersonate you by having your identity document information.

More recently, the Medibank breach has highlighted how children face greater risks from having had their medical histories made public.

For the sake of society’s most vulnerable, we need to recognise that privacy is non-negotiable because breaches of privacy cause real harm.

We need legal mechanisms to allow people to seek compensation when companies breach their privacy, in addition to stronger penalties levied by government regulation. We also need stronger mechanisms to disincentivise the collection of sensitive information by companies and the government.

For instance, penalties for breaches should be scaled – not according to the size of the organisation – but to the volume of sensitive information it has collected.

All of us have secrets worth hiding.

Secrets that we necessarily entrust to corporations and the government as part of life in our modern society. In an age in which we can expect to see more data breaches, privacy laws must keep up.

Banner: Shutterstock

Engineering & Technology

Featured

Republish this article

We believe in the free flow of information. This work is licensed under a Creative Commons Attribution-No Derivatives 3.0 Australia (CC BY-ND 3.0 AU), so you can republish our articles for free, online or in print.

All republished articles must be attributed in the following way and contain links to both the site and original article: “This article was first published on Pursuit. Read the original article.”

<header><h1>Medibank’s hack tells us privacy laws need to change</h1><p><a rel="author" href="https://pursuit.unimelb.edu.au/individuals/associate-professor-toby-murray">Associate Professor Toby Murray</a> and <a rel="author" href="https://pursuit.unimelb.edu.au/individuals/dr-suelette-dreyfus">Dr Suelette Dreyfus</a></p></header><p>Most of us have heard the <a href="https://en.wikipedia.org/wiki/Nothing_to_hide_argument" target="_blank">argument</a> that “if you have done nothing wrong, you have nothing to fear” when it comes to online surveillance. </p><p>It’s regularly trotted out in defence of government monitoring and heavy-handed powers granted to law enforcement in the name of protecting us from terrorism and the worst kinds of criminality. </p><figure class="full-width"><img alt="" itemprop="image" sizes="(min-width: 1300px) 892px, (min-width: 1099px) 860px, (min-width: 769px) 700px, 100vw" src="https://res-5.cloudinary.com/the-university-of-melbourne/image/upload/s--CaIIBS6B--/c_limit,f_auto,q_75,w_892/v1/pursuit-uploads/6f4/100/883/6f410088305eb9575abefe937fc6b939478d9cdbe60b00ffa8420dc48e3e.jpg" srcset="https://res-5.cloudinary.com/the-university-of-melbourne/image/upload/s--QL0KQdvw--/c_limit,f_auto,q_75,w_446/v1/pursuit-uploads/6f4/100/883/6f410088305eb9575abefe937fc6b939478d9cdbe60b00ffa8420dc48e3e.jpg 446w, https://res-5.cloudinary.com/the-university-of-melbourne/image/upload/s--geNFQsVN--/c_limit,f_auto,q_75,w_669/v1/pursuit-uploads/6f4/100/883/6f410088305eb9575abefe937fc6b939478d9cdbe60b00ffa8420dc48e3e.jpg 669w, https://res-5.cloudinary.com/the-university-of-melbourne/image/upload/s--CaIIBS6B--/c_limit,f_auto,q_75,w_892/v1/pursuit-uploads/6f4/100/883/6f410088305eb9575abefe937fc6b939478d9cdbe60b00ffa8420dc48e3e.jpg 892w, https://res-5.cloudinary.com/the-university-of-melbourne/image/upload/s--nKOY9K5v--/c_limit,f_auto,q_75,w_1784/v1/pursuit-uploads/6f4/100/883/6f410088305eb9575abefe937fc6b939478d9cdbe60b00ffa8420dc48e3e.jpg 1784w" /><figcaption>The Medibank hackers claim they demanded a $US9.7 million ransom not to release stolen customer information. Picture: Getty Images</figcaption></figure><p>Over the last week or so, the <a href="https://www.abc.net.au/news/2022-10-25/medibank-breach-wider-than-estimated/101572904">Medibank breach saga</a> has provided ample evidence as to where this argument fails. </p><p>Following <a href="https://www.theguardian.com/australia-news/2022/nov/10/medibank-hacker-says-ransom-demand-was-us10m-as-purported-abortion-health-records-posted#:~:text=The%20hacker%20behind%20the%20cyber,to%20contain%20abortion%20health%20information.">ransom threats</a>, the purported Medibank hackers <a href="https://www.abc.net.au/news/2022-11-09/medibank-data-release-dark-web-hackers/101632088">published the personal medical information of 100 people</a> – separated between “naughty” and “nice” categories. The “naughty” are those with medical histories some may find embarrassing – including drug dependencies and mental health conditions – while others whose medical histories the hackers decided were more prosaic were deemed “nice”. </p><p>Then things turned even nastier, with the hackers claiming to have<a href="https://www.theguardian.com/australia-news/2022/nov/10/medibank-hacker-says-ransom-demand-was-us10m-as-purported-abortion-health-records-posted"> released a data file called abortions.csv</a>. Then came <a href="https://www.aap.com.au/news/minister-vows-to-hunt-medibank-hackers/">boozy.csv</a>.</p><figure class="related inset-right" role="complementary"><a class="single" data-bound="true" href="https://pursuit.unimelb.edu.au/articles/facebook-the-government-and-revenge-porn"><img alt="" itemprop="image" src="https://res-1.cloudinary.com/the-university-of-melbourne/image/fetch/s--r9O0id1Y--/c_fill,f_jpg,q_70,w_435/https://res-4.cloudinary.com/the-university-of-melbourne/image/upload/s--kW2m6_oV--/c_fill%2Cf_auto%2Ch_630%2Cq_75%2Cw_1200/v1/pursuit-uploads/8a3/be9/18a/8a3be918ab02f9e51f76714612bbf051535dac9ae6be5ae02e3e45b2fc9e.jpg" /><h3>Facebook, the Government and revenge porn</h3><div class="readmore">Read more</div></a></figure><p>There is a lot to unpack here. </p><p>Firstly, the hackers are weaponising the fear of some of the most vulnerable Medibank customers to try to pressure the health insurer to renege on its <a href="https://www.theguardian.com/technology/2022/nov/07/medibank-says-it-wont-pay-ransom-for-customer-data-stolen-in-cyber-attack" target="_blank">promise</a> not to pay any ransom demands. The depravity of this behaviour hardly needs stating. </p><p>Secondly, the overtones of moral judgement in the attackers’ actions are unmistakable – creating fear and anxiety over details in those health records. </p><p>But, more importantly, this tactic highlights how it’s those in society who are already the most marginalised and vulnerable that have the most to lose when their private information is made public without their consent.</p><p>Disability rights advocate <a href="https://www.abc.net.au/news/programs/the-drum/2022-11-09/the-drum-wednesday-9-november/101636340">Elly Desmarchelier spoke eloquently on ABC TV’s <em>The Drum</em></a> when she explained how people living with a disability must carefully control exactly what information about their disability they reveal and to whom. </p><figure class="full-width"><img alt="" itemprop="image" sizes="(min-width: 1300px) 892px, (min-width: 1099px) 860px, (min-width: 769px) 700px, 100vw" src="https://res-3.cloudinary.com/the-university-of-melbourne/image/upload/s--GOq6uyHZ--/c_limit,f_auto,q_75,w_892/v1/pursuit-uploads/f16/f79/02a/f16f7902a4153bdddb90d623a1747a90be19991187e350303d246e2c1a02.jpg" srcset="https://res-3.cloudinary.com/the-university-of-melbourne/image/upload/s--CJ8CSjV0--/c_limit,f_auto,q_75,w_446/v1/pursuit-uploads/f16/f79/02a/f16f7902a4153bdddb90d623a1747a90be19991187e350303d246e2c1a02.jpg 446w, https://res-3.cloudinary.com/the-university-of-melbourne/image/upload/s--lz35u7RU--/c_limit,f_auto,q_75,w_669/v1/pursuit-uploads/f16/f79/02a/f16f7902a4153bdddb90d623a1747a90be19991187e350303d246e2c1a02.jpg 669w, https://res-3.cloudinary.com/the-university-of-melbourne/image/upload/s--GOq6uyHZ--/c_limit,f_auto,q_75,w_892/v1/pursuit-uploads/f16/f79/02a/f16f7902a4153bdddb90d623a1747a90be19991187e350303d246e2c1a02.jpg 892w, https://res-3.cloudinary.com/the-university-of-melbourne/image/upload/s--nwM5Zd0j--/c_limit,f_auto,q_75,w_1784/v1/pursuit-uploads/f16/f79/02a/f16f7902a4153bdddb90d623a1747a90be19991187e350303d246e2c1a02.jpg 1784w" /><figcaption>The overtones of moral judgement in the attackers’ actions are unmistakable. Picture: Getty Images</figcaption></figure><p>This constant battle, she explained, is necessary to reduce the risk of victimisation and discrimination. </p><p>That makes perfect sense, as the ongoing <a href="https://disability.royalcommission.gov.au/">Royal Commission into Violence, Abuse, Neglect and Exploitation of People with Disability</a> has made clear, discrimination against people with disabilities remains all too common in Australia today. </p><p>Think of any medical condition or medical treatment that is stigmatised, and you’ll have an excellent guide as to the kinds of people likely to find their name on the Medibank hackers’ “naughty” list.</p><figure class="related inset-right" role="complementary"><a class="single" data-bound="true" href="https://pursuit.unimelb.edu.au/articles/tiktok-captures-your-face"><img alt="" itemprop="image" src="https://res-2.cloudinary.com/the-university-of-melbourne/image/fetch/s--b9KBtiux--/c_fill,f_jpg,q_70,w_435/https://res-5.cloudinary.com/the-university-of-melbourne/image/upload/s--hfiAOXeR--/c_fill%2Cf_auto%2Ch_630%2Cq_75%2Cw_1200/v1/pursuit-uploads/06d/c7f/164/06dc7f164113dbf77e0f7d8d6ed47599772d838c150b2d36f126e3ed7b3b.jpg" /><h3>TikTok captures your face</h3><div class="readmore">Read more</div></a></figure><p>The truth is that we all rightfully have something to hide. And those who society stigmatises or discriminates against have more to hide than most. </p><p>It has been less than four months since the <a href="https://www.npr.org/2022/06/24/1102305878/supreme-court-abortion-roe-v-wade-decision-overturn#:~:text=Angerer%2FGetty%20Images-,Anti%2Dabortion%20activists%20rally%20in%20front%20of%20the,Supreme%20Court%20on%20June%206.&text=In%20a%20historic%20and%20far,half%20century%2C%20no%20longer%20exists.">US Supreme Court overturned <em>Roe v Wade</em></a>, which overnight criminalised abortion for a massive fraction of the US population. </p><p>A year ago, few American women would have been comfortable revealing whether they had had an abortion, with good reason given the virulence of the <a href="https://www.lowyinstitute.org/the-interpreter/us-abortion-bans-unleash-state-sanctioned-violence-against-women">anti-choice movement in the US</a>. For many, that choice now has criminal implications. </p><p>In a highly polarised society, there’s good reason to hide that you may have engaged in many legal activities that other people object to. When the line between legal and illegal can shift so quickly, hiding what you have done today lest it be criminalised tomorrow seems only prudent. </p><figure class="full-width"><img alt="" itemprop="image" sizes="(min-width: 1300px) 892px, (min-width: 1099px) 860px, (min-width: 769px) 700px, 100vw" src="https://res-3.cloudinary.com/the-university-of-melbourne/image/upload/s--6q2MvYUF--/c_limit,f_auto,q_75,w_892/v1/pursuit-uploads/4fd/e33/52e/4fde3352eb6bfa0b45357524b91b21fdd9a5661b9f04e6355acb035c0ba9.jpg" srcset="https://res-3.cloudinary.com/the-university-of-melbourne/image/upload/s--2N52kuNA--/c_limit,f_auto,q_75,w_446/v1/pursuit-uploads/4fd/e33/52e/4fde3352eb6bfa0b45357524b91b21fdd9a5661b9f04e6355acb035c0ba9.jpg 446w, https://res-3.cloudinary.com/the-university-of-melbourne/image/upload/s--Q0WjMK7_--/c_limit,f_auto,q_75,w_669/v1/pursuit-uploads/4fd/e33/52e/4fde3352eb6bfa0b45357524b91b21fdd9a5661b9f04e6355acb035c0ba9.jpg 669w, https://res-3.cloudinary.com/the-university-of-melbourne/image/upload/s--6q2MvYUF--/c_limit,f_auto,q_75,w_892/v1/pursuit-uploads/4fd/e33/52e/4fde3352eb6bfa0b45357524b91b21fdd9a5661b9f04e6355acb035c0ba9.jpg 892w, https://res-3.cloudinary.com/the-university-of-melbourne/image/upload/s--UOQ6d7qr--/c_limit,f_auto,q_75,w_1784/v1/pursuit-uploads/4fd/e33/52e/4fde3352eb6bfa0b45357524b91b21fdd9a5661b9f04e6355acb035c0ba9.jpg 1784w" /><figcaption>Those who society stigmatises or discriminates against have more to hide than most. Picture: Getty Images</figcaption></figure><p>That the vulnerable and those already victimised have the most to lose from data breaches is not a new observation. </p><p>In the wake of the Optus breach, earlier this year many <a href="https://www.theguardian.com/commentisfree/2022/sep/28/optus-customers-not-the-company-are-the-real-victims-of-massive-data-breach" target="_blank">commented</a> on how it was domestic violence victims, for instance, who might be most at risk for having their address details exposed. This is to say nothing of the dangers that might be posed by an abusive or malicious ex-partner who is able to impersonate you by having your identity document information. </p><p>More recently, the Medibank breach has <a href="https://www.abc.net.au/news/science/2022-10-28/medibank-data-breach-children-caught-up-privacy-concerns/101584376" target="_blank">highlighted</a> how children face greater risks from having had their medical histories made public. </p><figure class="related inset-right" role="complementary"><a class="single" data-bound="true" href="https://pursuit.unimelb.edu.au/podcasts/the-politics-of-hacking"><img alt="" itemprop="image" src="https://res-2.cloudinary.com/the-university-of-melbourne/image/fetch/s--Cd6U8qcA--/c_fill,f_jpg,q_70,w_435/https://res-1.cloudinary.com/the-university-of-melbourne/image/upload/s--IvstDfN3--/c_fill%2Cf_auto%2Ch_630%2Cq_75%2Cw_1200/v1/pursuit-uploads/c0d/089/402/c0d089402647de0dc441d2bc2fa6917406c358f2af10b6268436bc78c1da.jpg" /><h3>The politics of hacking</h3><div class="readmore">Read more</div></a></figure><p>For the sake of society’s most vulnerable, we need to recognise that privacy is non-negotiable because breaches of privacy cause real harm. </p><p>We need <a href="https://www.lawcouncil.asn.au/media/media-releases/law-council-supports-statutory-tort-for-serious-invasion-of-privacy#:~:text=8%20February%202022&text=%E2%80%9CIf%20an%20individual%20is%20harmed,President%2C%20Mr%20Tass%20Liveris%20said.https://www.lawcouncil.asn.au/media/media-releases/law-council-supports-statutory-tort-for-serious-invasion-of-privacy#:~:text=8%20February%202022&text=%E2%80%9CIf%20an%20individual%20is%20harmed,President%2C%20Mr%20Tass%20Liveris%20said." target="_blank">legal mechanisms</a> to allow people to seek compensation when companies breach their privacy, in addition to <a href="https://ministers.ag.gov.au/media-centre/tougher-penalties-serious-data-breaches-22-10-2022" target="_blank">stronger penalties</a> levied by government regulation. We also need stronger mechanisms to disincentivise the collection of sensitive information by companies and the government. </p><p>For instance, penalties for breaches should be scaled – not according to the size of the organisation – but to the volume of sensitive information it has collected.</p><p>All of us have secrets worth hiding. </p><p>Secrets that we necessarily entrust to corporations and the government as part of life in our modern society. In an age in which we can expect to see more data breaches, privacy laws must keep up. </p><p>Banner: Shutterstock</p><img alt="" height="1" style="display:none" width="1" src="//track.web.unimelb.edu.au/pursuit/pageview.png?location=https%3A%2F%2Fpursuit.unimelb.edu.au%2Farticles%2Fmedibank-s-hack-tells-us-privacy-laws-need-to-change&title=Medibank%E2%80%99s+hack+tells+us+privacy+laws+need+to+change&path=%2Farticles%2Fmedibank-s-hack-tells-us-privacy-laws-need-to-change&campaign_name=Pursuit+republishing&campaign_medium=republish&campaign_content=Medibank%E2%80%99s+hack+tells+us+privacy+laws+need+to+change" />

Media enquiries

Phone: +61 3 8344 4123
Email: news@media.unimelb.edu.au

The Media Office is staffed from 8am–5pm Monday to Friday.

The University has a television and radio studio to facilitate live and prerecorded broadcast quality interviews with media. You can also Find an expert for commentary.