Australia’s Information Commissioner v Medibank: Cybersecurity Lessons-for-All

Data breaches – in this day and age, who hasn’t been on the wrong side of one? Their sheer frequency, from large-scale attacks like Optus and Medibank, to the now-regular drip of phone notifications for compromised passwords, has created a sense of grim normality. Arguably, data breaches are ‘the norm’ – if you consider that 9.7 million people (more than one in three Australians) had their personal data exposed in the Medibank breach. But those facts should not breed complacency, especially for organisations that handle personal information as part of their day-to-day operations. It is crucial for these organisations to understand and actively implement all ‘reasonable steps,’ including cybersecurity measures, to protect Australians’ personal data. 

What constitutes ‘reasonable steps’ is a critical question – and one the Australian Information Commissioner (AIC) takes very seriously. You need only consider the Commissioner’s Notice of Filing in the Federal Court action against Medibank (Medibank Filing) as proof. To my mind, the Medibank Filing might well represent a watershed moment in privacy and cybersecurity law and practice. Why? Four key reasons stand out –

• First, it was the one of the biggest data breaches (by numbers) in Australian history.

• Second, the Medibank breach generated an Australian-first. The Commonwealth imposed formal ‘cyber sanctions’ and additional sanctions against five Russian nationals and the Russian-headquartered organisation, ZServers, which provided the network infrastructure that made the cyberattack possible.

• Third, the AIC filed civil penalty proceedings in the Federal Court, alleging Medibank failed to take reasonable steps to protect the personal information it held.

• Fourth, the AIC published its Notice of Filing in the Medibank matter, which can be viewed as a practical guide to protecting personal information.

It is in this final, fourth point that we find valuable insights into the Commonwealth’s, and more specifically the AIC’s perspective on securing personal information. The Medibank Filing evidences the Commissioner’s expectations for organisations to implement a comprehensive suite of safeguards, commensurate to the nature and scale of information an organisation holds. And this is not a simple tick-box exercise – it requires a proactive and ongoing assessment of risks and the implementation of robust technical, organisation and physical safeguards. Think strong encryption, regular security audits, staff training, incident response plans and appropriate access controls. Before delving too far into the specifics, let’s first recap the facts surrounding the Medibank data breach, which will help us understand some of the motivation behind the AIC’s Medibank Filing.

AIC v Medibank (The Backstory)

Drawing from the AIC’s Medibank Filing, the origin of the data breach was traced to sometime in 2022, when a Medibank contractor saved their Medibank username and password for multiple accounts to their work computer’s personal internet browser profile. When the contractor later logged into the same browser profile on a personal computer, these credentials were synced. 

In August 2022, malware on the contractor’s personal computer compromised the synced passwords. A threat actor was then able to use these stolen credentials to access Medibank’s IT systems and exfiltrate personal and sensitive information equating to approximately 520 gigabytes of data. The exfiltrated information included: names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers, health related information and claims data and was subsequently published on the dark web between November and December 2022.

Although Medibank’s cybersecurity (detection and response) software had generated various alerts from August/22 onward, these were incorrectly triaged and the breach was not identified until October, when a high-severity alert was finally investigated. While Medibank had several mechanisms in place to support data security, several deficiencies had previously been identified and were not adequately addressed in time, given the nature and scale of information it held. According to the AIC, these shortcomings demonstrated Medibank’s failure to take reasonable steps to protect the information it held – and likely contributed to the breach.

If the Federal Court finds in favour of the AIC, it could impose a civil penalty of up to $2.22 million for each contravention of the Privacy Act, i.e. $2.22m multiplied by those 9.7 million impacted Australians. If you do the maths, that could equate to more than $21 trillion. It is highly unlikely that the Federal Court would levy such an enormous penalty. However, it is fair to say that the privacy community and the wider public are keenly awaiting the case management hearing to resume on 15 August 2025. It is my view that once penalties fade into corporate memory, the Medibank case will likely resonate through Australia’s C-suite offices, boardrooms and government agencies for having set a new standard for securing personal data. How? Through the collection of safeguards established in the AIC’s Medibank Filing.

Setting a new security standard

The AIC’s Medibank Filing highlights key privacy considerations, in the form of a list of minimum requirements for data protection, drawing from existing Commonwealth and international policies, guidance and cybersecurity standards. These include the Essential Eight, Prudential Standard CPS 234, Information Security Manual, NIST Cyber Security Framework, and ISO 27000 series of information security standards. While some of these requirements may not be mandatory, they do represent best practice data protection standards for any organisation, regardless of its sector.

So, what are these requirements that the AIC has set out? These are a collection of 11 ‘steps’ or safeguards that organisations of all sizes should consider and assess against their own specific circumstances and data protection needs. The 11 safeguards are outlined below.

1. Multi-Factor Authentication (MFA) for authenticating users’ remote access connection (such as working-from-home) and logging into an organisation’s network (Global VPN). 

2. MFA for authenticating users with access to sensitive or critical information assets once inside a network perimeter. This may include access to important data repositories and/or servers used to connect to any such repositories.

3. Proper change management controls (formal process) to manage changes to information security controls, including changes to how existing security measures are configured.

4. Appropriate privileged access management controls, including restricting access to information and systems to only those who absolutely need it (least privilege). This also requires regular reviewing access rights and associated user accounts to ensure that access and privileges remain valid and appropriate.

5. Monitoring for privileged accounts, including undertaking monitoring to baseline normal behaviour, and configuring alerts for unusual or suspicious privileged account activities and monitoring for these.

6. Appropriatepassword complexity for user accounts, including implementing appropriate controls to prevent the use of insecure or common passwords and the re-use of passwords across multiple accounts.

7. Password monitoring and review processes to ensure passwords to access important data repositories and/or servers are encrypted, including regular password usage audits and security-testing tools used to access the data repositories and/or servers.

8. Security monitoring processes and procedures to detect and respond to information security incidents in a timely manner, including review and triage of security alerts, documented guidance and procedures for escalating security alerts and regularly reviewing the alert review process. Alerts should also be configured to detect the exfiltration of large or abnormal volumes of data.

9. Appropriate security assurance testing for sensitive or critical information assets and/or key information security controls, including annual penetration testing, annual internal audits and/or internal control effectiveness testing and, in the event of a change that might impact the configuration of MFA for a solution, internal and/or external testing to determine whether MFA is still enforced following the change.

10. Appropriate application controls for critical servers, including servers used to access sensitive or critical information assets.

11. Effective contractor assurance, including regular audits, inspections and/or testing on compliance with information security policies and controls and, where applicable, clear identification of roles and responsibilities of third-parties supporting the implementation of information security controls. 

A Code-in-Waiting – and more?

But that’s not all, especially if we consider the AIC’s code-making powers under Part IIIB of the recently-amended Privacy Act. Arguably, the 11 steps set out in the AIC’s Filing may well foreshadow a future Australian Privacy Principle (APP) Code. By detailing the ‘reasonable steps’ required for data protection, the AIC is effectively signalling its expectations for handling personal and sensitive information. These steps could be readily translated into APP Code obligations at the behest of the Attorney-General.

As the AIC outlined in a public statement, ‘[the Medibank] case should serve as a wakeup call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.’ Accordingly, the Medibank decision may not just be about holding one organisation accountable, it could be a crucial stepping stone towards more prescriptive and legally binding data protection rules for all. 

The Federal Court’s eventual decision in Medibank will (hopefully) establish what constitutes reasonable security standards for handling personal information. Regardless of the outcome, the onus rests firmly on each organisation to take decisive action – and to do it now. Why? Because data breaches should be outliers, not the norm. And taking 11-or-so reasonable steps to secure personal data – not only is it reasonable, it could very possibly become mandatory. 

At Synergy Law, we understand that cybersecurity is a constantly evolving landscape. Our mixed services offering addresses not only current regulatory requirements, but also focuses on anticipating and being at the forefront of cybersecurity requirements. We strive to help our clients stay ahead of the curve, proactively strengthen their defences and minimise their risk of exposure in today’s dynamic threat environment. Our goal is to empower organisations with the knowledge and tools that they need, to protect their valuable data and maintain a robust security posture to the benefit of all Australians.