At a glance.
- Medibank hacker threatens to dump data.
- Facial recognition proves difficult to limit under GDPR.
- Baby monitors and privacy risk.
Medibank hacker threatens to dump data.
New details about the data breach of Medibank, Australia’s largest health insurer, continue to surface. ABC Australia reports that the hacker behind the breach has threatened to release the stolen customer data. In a post published on the dark web around midnight on Monday, the cybercriminal(s) stated, “data will be publish [sic] in 24 hours…P.S. I recommend to sell medibank [sic] stocks." University of New South Wales cybersecurity expert Professor Richard Buckland, said of the post, "We can't know for sure that it is the hackers that have posted it, because no data was posted with it, but it looks very plausible. It's exactly what we're expecting once they were told they weren't going to be paid the ransom. The next step for them in this business is to then release the data — if they don't release the data they're not able to make future ransom threats." CRN Australia reports that Medibank is aware of the threat. Medibank Chief Executive Officer David Koczkar today stated, "We knew the publication of data online by the criminal could be a possibility, but the criminal's threat is still a distressing development for our customers." Medibank added that the Australian Federal Police is on the case, but warned customers that the threat actors could attempt to contact victims directly.
Rebecca Moody, head of data research at Comparitech, commented: on the incident, and notes that paying ransomware probably doesn't in fact pay:
“According to the data collated through our Worldwide Ransomware Tracker, just less than 18 percent of ransom demands have been paid (where companies confirm whether or not they have paid). However, companies are far more likely to confirm they haven't paid than if they have as many feel admitting to paying ransoms leaves them exposed to future attacks.
"Companies may feel they have no choice but to pay a ransom if their systems are crippled by the attack and they are forced offline for an indefinite period of time. Fortunately, Medibank's systems seem to have been largely unaffected by the attack which may have helped in the decision not to pay the ransom.
"However, choosing not to pay often results in stolen data being published for sale on the dark web/hacker's forums. In the case of Medibank, this could mean that the data of nearly 10 million customers will be exposed by the hackers. Medibank may then face the cost of offering identity theft protection services for its customers. This cost, alongside other mediation efforts, could exceed the ransom demand from the hackers. The amount demanded from Medibank is still unknown but, according to our latest data, the average ransom demand for 2022 is $6.26 million.
"However, as Medibank states, paying a ransom does not guarantee that the data will be destroyed and/or customer records will not be exploited.”
Facial recognition proves difficult to limit under GDPR.
Wired takes a closer look at the case of Matthias Marx, the German activist and security researcher who was the first European to file a complaint against Clearview AI for violating his privacy rights as stipulated in the General Data Protection Regulation. The American facial recognition company has come under fire for scraping the web for publicly available images of people’s faces – without the subjects’ consent – to populate its massive searchable database. Clearview then sells access to the database to clients like law enforcement agencies who want an easy way to match photos with other images online. Clearview and similar companies like Pimeyes and Public Mirror operate in a privacy gray area, as they technically only use publicly available data. According to Marx’s local privacy regulator in Hamburg, his case has been closed, but Marx says he was never notified of the decision. “It’s almost been two and a half years since I complained about Clearview AI, and the case is still open. That is too slow, even if you take into account that it’s the first case of its kind.” Marx stated.
His case isn’t the only one that appears to have stalled. Data protection authorities in France, Greece, and Italy have hit Clearview with fines for breaking EU privacy rules, but the Greek and Italian fines have gone unpaid, and Clearview has yet to remove EU faces from its platform. Making matters worse, even if Clearview were to delete all of the EU faces currently stored in its database, its scraping bots could easily vacuum up more images to take their place. And even Clearview admits it’s impossible to truly distinguish the citizenship of a subject based on an image. CEO Hoan Ton-That explains, “There is no way to determine if a person resides in the EU, purely from a public photo from the internet, and therefore it is impossible to delete data from EU residents
Who’s watching the baby?
It’s common knowledge that any device linked to the internet can be hacked, and whether it’s a security camera or a smart toaster, cybercriminals can find a way to compromise any sensitive data it might contain. When it comes to smart baby monitors, the stakes couldn’t be higher, as the last thing any parent wants is an intruder spying on their precious offspring. As WeLiveSecurity explains, radio frequency monitors require a hacker to be within range of the signal and know the frequency it is using, but wi-fi-enabled monitors are even easier to hack because they connect to the user’s home router, and in some cases the public internet. Global governments including the US and the UK have IoT privacy legislation in the works, but in the meantime, it’s up to users to protect themselves – and their children – from prying eyes. Recommendations include selecting a monitor that prioritizes security, keeping the monitor’s software up-to-date, deactivating remote communication, and using a strong password on both the monitor and the home router.