Thursday, 20 October 2022
Media release

Press conference

CLARE O’NEIL: Everyone all good to go? Okay. Thank you.

So, let me start by making a brief statement about what’s happened at Medibank. Last Wednesday, on the 12th of October, Medibank first determined that there were malicious actors on their network. In the 48 hours that followed, Medibank undertook investigations and assured Government that no data had been stolen in this breach. Medibank also worked with various arms of Government to ensure that the malicious actors were taken off their network and at the end of that process believed that the situation was resolved and that no harm had come from the presence of these criminals on Medibank’s network.

That has changed. What we learned yesterday is that communications have been made to Medibank from criminals who are claiming to have significant data of Australian citizens and they have now demanded to enter into a negotiation with Medibank to hold that data effectively for ransom.

Medibank, today, have confirmed some of the data fields that have been offered up as a sample as evidence that the data claim that is being made is accurate. What we know is that Medibank have confirmed today that the data being shown as a sample is their data. It tells us something about what a broader theft of data may look like in Medibank, and it includes a very broad scope of information. It includes names, it includes addresses, it includes phone numbers, it includes some other identifying data, but the thing that I am most concerned about is that it includes numbers that indicate procedures and diagnoses about the health of Australian citizens.

Financial crime is a terrible thing, but, ultimately, a credit card can be replaced. The threat that is being made here to make the private, personal health information of Australians made available to the public is a dog act, and that is why the toughest and smartest people in the Australian Government are working directly with Medibank to try to ensure that this horrendous criminal act does not turn into what could be irreparable harm to some Australian citizens.

I spoke to the Medibank CEO again for the second time this morning and we made an agreement that officers from the Australian Federal Police and the Australian Signals Directorate will locate themselves within Medibank to make sure that we have every possible support to Medibank in trying to ensure that this crime doesn’t result in harm.

Happy to take any questions that you have about this situation.

JOURNALIST: Do you think the attack of the Optus CEO, when she admitted that she didn’t know contrasts with this approach where you’ve kind of backed Medibank and supported them even though they appeared to have lied to you about data being accessed when they told you within that first 48 hour hour period that nothing had been accessed? If they didn’t know, why didn’t they say that?

CLARE O’NEIL: I think directing questions to Medibank about what was communicated when and why is the appropriate source of answers to those questions. Let me just make it absolutely clear. The side I am on here is on the side of the Australian people and we have here something very serious that is happening – citizens’ personal health information is being potentially held to ransom, and my only concern today is to make sure that the Australian Government, who was not the source of this attack, is not at fault here, but indeed is most concerned about its own citizens, is doing everything it can to stop irreparable harm from coming from criminal conduct.

JOURNALIST: Does the company need to do more to make sure that these things are properly communicated, and they don’t – you have kind of given CEOs a free pass to say, “Oh, no, nothing to see here” and then a week later come out and say, “Oh, actually, by the way, these guys have had your data for a week now”?

CLARE O’NEIL: Look, I’m sure the politics of this is endlessly fascinating to people writing articles about it. It’s not of concern to me. My only worry right now is Australians and making sure that they understand that the Australian Government is doing everything it can to stop irreparable harm from coming from what is a complete dog act; and, that is, a criminal who is suggesting that they are going to divulge personal health information of Australians to the public and that is simply unacceptable to us.

JOURNALIST: What is your advice to customers?

CLARE O’NEIL: So, we are – there’s lots of advice to customers about how they can protect themselves. There’s some basic things that need to be done here. If you see text messages, if you get emails, dodgy things about clicking on links, don’t do it. What we know is that in an aftermath of an event like this that lots of idiots will try their luck sending around emails and trying to get people to click on links and to give them money for various things and to commit other types of really petty cybercrime. I’d just be really conscious and careful about that.

Medibank will be in touch with you when they understand the individuals that are affected and the first group of people who we know have had their data breached have been communicated to by Medibank.

JOURNALIST: What advice have they been given?

CLARE O’NEIL: You need to talk to Medibank about that.

JOURNALIST: So, should people do anything else to be more proactive or just wait to hear from Medibank?

CLARE O’NEIL: Look, unfortunately, we are in a waiting game now. We’ve got criminal activity on foot. We’ve got essentially a crime being committed before our very eyes and we need to do everything we can to support Medibank from the Government’s end. But from the public perspective, we do need to watch and wait here, and that’s uncomfortable.

JOURNALIST: Could you have put the AFP or the ASD in Medibank a week ago if you had known and they hadn’t said no one’s data had been accessed within that 48 hour window.

CLARE O’NEIL: Well, we didn’t have evidence that any data had been accessed. We were assured that Medibank didn’t see any evidence of that see any evidence of that so that’s why they’ve gone in today.

JOURNALIST: You said that they assured you that no customer data had been accessed, which is different from their wording as well. So, which one was it? Did they tell you no customer data had been accessed or they had no evidence of customer data being accessed?

CLARE O’NEIL: You’ll have to check the transcripts of the discussions.

JOURNALIST: Do you think it was a sophisticated act or is it kind of Medibank’s fault for leaving the window open [indistinct]?

CLARE O’NEIL: Yep, I just want to explain. There is literally a crime in transmission at the moment. It’s not appropriate for me to comment on that. We know that there’s a group of criminals who are claiming to have this data and are trying to extort some benefits from it, and the AFP are involved here. I’m not going to comment further on the logistics of that.

JOURNALIST: Medibank have said themselves that it wasn’t a sophisticated attack, that someone had passwords and credentials and they were compromised, so someone could just log on to their system. With that in mind, how do they think no one has passed in the data?

CLARE O’NEIL: I just encourage you to talk to Medibank about that.

JOURNALIST: [Indistinct].


JOURNALIST: Do you know how many – do you have an estimation of how many people have been affected?

CLARE O’NEIL: We don’t at this stage. So, again, Medibank is the looking at what data has been taken. We don’t have a clear estimate at this stage of how many people have been affected. What we do know is that there’s somewhere between 100 or 200 people in this initial tranche who we can provide evidence have been the subject of a data breach, but beyond that we don’t have any further information.

JOURNALIST: What’s the Government’s advice to companies on paying a random?

CLARE O’NEIL: The formal advice of the Australian Government is: don’t pay a ransom. People are criminals and they are dishonest, and they’ll tell you all sorts of things that about what will happen in the aftermath of paying a ransom and by nature these people are liars, and we suggest not cooperating with them. That is the policy of the Australian Government.

JOURNALIST: Is it illegal?


JOURNALIST: I would have thought that [indistinct] Senator Thorpe in her committee work was passed on to bikie groups?

CLARE O’NEIL: Yeah, thank you. I’m not in the habit of commenting on the personal lives of members of Parliament, so I’m going to wait to receive some further information before I make a public comment on that one.

SPEAKER: Last couple questions.

JOURNALIST: The Medibank attack is the second significant one we’ve seen now in less than a month. Do you expect more companies to be hit after seeing these two?

CLARE O’NEIL: Yeah, okay. Um, this is the new world for us. We’re living in a digital age and the truth is that cybercrime is rising significantly all over the world. Interpol is meeting at the moment in New Delhi, so this is the heads of police forces all over the world, and they have just made an announcement that cybercrime is their number one crime concern of the moment. What it tells me is that we need to do better as a country, and I’ve said previously that I think we’re in the order of five years behind where we need to be on our cyber laws and our policies and our approaches. And my role as Cybersecurity Minister is to try to fix that problem in as short a time as I can.

JOURNALIST: So, is it better for the next CEO to own up and say, “We don’t know” or is it better for them to underplay it like Medibank have?

CLARE O’NEIL: I would really encourage CEOs to be honest and transparent with the Australian public at all times.

JOURNALIST: Do you think Medibank has been?

CLARE O’NEIL: I don’t have any evidence to the contrary. Okay, great, guys. Thank you very much.