The executives that lost their jobs were not aware that the systems operating in the bowels of their organisations, which led to overcharging customers, were not fit for purpose. But they were guilty of ignoring risk and underinvesting in technology to prevent it.
Medibank customer data is now leaking onto the dark web.Credit:Getty Images / Louise Kennerley
Investors similarly punished the Westpac and Commonwealth Bank executives in charge when both banks were taken to court by financial intelligence agency AUSTRAC, which said millions of dollars had been laundered through the banks by criminals, including drug and firearms importers.
The upper echelons of Rio Tinto were purged after it was inattentive to the wishes of Indigenous landowners, resulting in the cultural crime of blasting the caves in Juukan Gorge in Western Australia.
The conversation around cybercrime now needs to be reframed to reflect that corporations must be held to a far more rigorous standard when it comes to data security. If customer data is crucial to business processes, then the bar to keeping it safe must be higher and so should be the penalties when things go wrong.
The real victims of the Medibank hack are the insurer’s customers, whose data is now lurking on the dark web, and are now anxiously waiting to see how badly they have been exposed.
Loading
The fact that it has taken these two high-profile ransomware attacks to wake the government from its slumber and move to legislate far stiffer financial penalties for insufficient protection of consumer data, explains a lot about the lack of priority this issue has commanded until now.
Next week Medibank’s annual general meeting will provide an open forum for investors to vent and send a warning to other businesses that cybersecurity is an issue that needs to be addressed. Not just as a footnote, but as a serious governance and risk management issue.
Shareholders must push Medibank’s management for more granular information on how much the hack will cost the company and whether its initial estimates of $25 million to $35 million remain current. If fines are ultimately imposed on Medibank, if a class action lawsuit is filed or if remediation proves more expensive than anticipated, then this figure surely will be insufficient.
While Medibank was right in refusing to pay the ransom, it has inevitably led to the hackers making good on their promise to release the data.
Loading
Most attacks are carried out by a well-oiled, highly organised criminal cartel, rather than individual criminal actors. Their business model would be ineffective if the hackers didn’t follow through with their threats - they would lose the leverage to negotiate with the future targeted companies.
It also doesn’t make a lot of business sense for criminals to release the data after the ransoms are paid - because it becomes a disincentive for anyone to pay a ransom. (Although cyber experts say history has shown there is some risk data will be sold to others even after ransoms are paid.)
Given the financial gains at stake, the relative lack of effective enforceable action against the hackers by organisations, and a low-stakes approach to corporate accountability, the attacks are going to keep coming.
Companies that have enjoyed the benefits of the digital revolution - particularly the productivity gains that technology has provided, must now work harder to deal with the downside.
The Market Recap newsletter is a wrap of the day’s trading. Get it each weekday afternoon.









Add Category