Last week Latitude Financial announced the theft of around 225,000 records from its database. Initially, I noted it as just another incident, but then I received an email. In my experience, an email letting me know my data may have been obtained by a bad actor is the beginning of the bad news. 

This is the fourth time in less than 6 months I've received one of these emails, so I know what is coming; it’s also getting rather personal now. However, since I’m not the only one who feels this way, my question is - could companies do more to keep our personal data secure?

The Medibank data loss

Naturally, my mind turned to Medibank, whose 9,500,000 customers learned their data had been obtained by bad actors and with the recent release of their 2023 Half Yearly Investor’s Report, the scale and cost of the loss have been published.

The cost to Medibank of Medibank’s data breach has been massive.

The published bottom line cost so far in one-off costs is $26,000,000 and is expected to be an additional $40,000,000 over the next full year.  There was also the immediate loss of around 13,000 customers costing something like an additional $35,000,000 in renewable premiums per annum 

Then there is the cost of damage to the brand, a cost the investors wear, which seems to have settled to around a 10% reduction in Medibank’s valuation (approx $1,000,000,000). It was much higher in the month or so following the announcememnt.

What happened?

According to Medibank’s 2023 Half Yearly Investor’s Report here is what happened.

• The Medibank systems were accessed using a stolen Medibank username and password used by a third-party IT service provider
• The stolen credentials were used to access Medibank's network through a misconfigured firewall which did not require an additional digital security certificate
• Further usernames and passwords were obtained to gain access to a number of Medibank's systems and their access was not contained

Although Medibank hasn’t disclosed exactly which systems were accessed, Medibank’s core ERP production systems are SAP-based. Personal data can be held in any number of development and test systems, data warehouse systems, or other data lakes for analysis and reporting.

What is being done?

Here is what Medibank determined what to do; also from Medibank’s 2023 Half Yearly Investor’s Report.

• Implement further controls around the technical perimeter.
• Ensure that the firewall authentication is fully configured across the whole network.
• Bolster existing monitoring and add further detection and forensics capability.
• Continue to strengthen the security environment.
• Reinforce security as everyone's business and uplift the security literacy of all users.
• Continue to evolve the approach to data management.

There is probably a lot more in the detail, but at a high level this reads like a list from an IT Security 101 textbook, doesn’t it? Medibank is committing to is to do better, working harder, and improving.; but is this enough?

Could more be done?

One thing many IT teams are aware of, but often don’t implement is data anonymisation, a failsafe method of securing all non-production systems data. Often the most at-risk data.

Data anonymisation is simple, yet highly effective.

Through proprietary algorithms real, sensitive at risk data is converted into fictitious anonymous data. Data is still useful for testing and analysis purposes but is totally useless otherwise. Even if the entire data set is stolen or accessed by an unauthorised individual. Once anonymised, sensitive personal data, is no longer at risk. With this one large chunk of data fully secured, the security team and security investment can focus solely on the production systems: reducing the cost and complexity of data security.

A call to action

Companies owe it to their customers, suppliers, and employees to take every reasonable step to secure their data.

If you are a member of an IT team with responsibility for data security, then data anonymisation should be very high on the list of security recommendations. With anonymised sensitive data held in non-production systems, an IT team can confidently rest in the knowledge that bad actors cannot access sensitive data via some kind of back door.