Why it took one of Australia’s largest pathology services five months to inform its patients that their data had been stolen and distributed to the dark web is being questioned by cybersecurity experts.
Australian Clinical Labs (ACL) disclosed Monday that it had been the target of a cyberattack in February, which had occurred eight months prior. Since that time, ACL has learned that 223,000 people’s data had been obtained and part of it had been put to the dark web.
Just one day after the full scope of the Medibank hacking incident was revealed, the company—which, among other things, provides COVID-19 testing—made an announcement to the ASX regarding the matter.
ACL claimed that the breach involved its subsidiary, Medlab, and that the most worrying leaks involved credit card details, Medicare numbers, and medical and health records.
It claimed that pertinent authorities had informed it of concerns about being the target of a ransomware event as early as March. These same pertinent authorities also claimed to have informed it in June that certain Medlab data had surfaced on the dark web.
According to Richard Buckland from the University of New South Wales, “They’ve been holding on to this for a very long time.”
According to ACL, its subsidiary Medlab was a victim of the hack, and the most concerning disclosures comprised credit card numbers, Medicare numbers, and medical and health records.
It asserted that relevant government agencies had warned it about fears about becoming the target of ransomware as early as March. It was also asserted that these same relevant authorities had informed it in June that specific Medlab data had appeared on the dark web.
They’ve been holding onto this for a very long time, said Richard Buckland of the University of New South Wales.
The Australian Cyber Security Centre (ACSC), it claimed, contacted it in March and informed it that it had learned Medlab may have been the target of a ransomware attack.
In its response, ACL stated that the company had answered to the request for information and had “verified that, to its knowledge, the company did not believe that any data had been hacked.”
The ACSC allegedly contacted ACL once more in June and informed it that it thought some Medlab material might be available on the dark web.
According to Professor Buckland, the data’s publication to the dark web, a portion of the internet that is concealed, would imply that it had been offered for sale.
He argued that this is risky since it could result in identity theft or criminals using victims’ false identities to commit crimes or obtain money.
Every piece of information that can be used to mimic you and steal your identity can be merged with other parts, he explained.
“And in this instance, credit card numbers and CVV numbers provide them the ability to act in your place while carrying out card transactions. That is a current expense.”
He emphasized that by holding off on informing customers, those persons had only recently been given the chance to update their credit card information or other forms of identification.
According to Professor Buckland, ACL had three chances to tell its clients about material that was on the dark web, not the first and second.