Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
Health
business journalist Emilia Terzon

The editorial questions ABC News journalists faced when covering the Medibank data leak

"Added one more file: abortions."

I found out about this post by Medibank's hackers through anonymous sources who were monitoring the dark web as the company's cyber-hacking crisis continued.

We were all aghast.

It's estimated that one-in-six Australian women in their 30s have terminated a pregnancy, including myself.

I don't think there's anything shameful about this but it's something personal you'd only want revealed on your own terms.

As I sat there ready to report on the story for TV that day, I imagined how my healthcare data could reveal the tangible specifics of my termination, like dates and place.

I imagined a powerlessness and the questions that could be asked.

Luckily, I wasn't a Medibank customer.

However, it was clear to me on that day, that the company's hackers were intentionally leaking data in a bid to weaponise issues with ongoing stigma in Australian society.

The cyber hack on the private health company ended up impacting 9.7 million of its former and current customers — that's more than one in three Australians.

For days on end, an entity said to be linked to Russian hackers posted stolen information that was clearly designed to shock and shame Medibank into paying up a ransom, or to make a high-profile example of it for refusing to do so.

As well as the "abortion" file, they posted stolen data about Medibank customers who had sought treatment for substance use, something that one-in-20 of us have struggled with, according to federal healthcare data.

There was also data about patients with mental health conditions, another deeply personal experience that touches many Australians and their loved ones, and has causational links to trauma and disadvantage.

Sources also told me that high-profile surnames were being targeted, obviously to create a splash in the media.

Each day, as journalists covering this story for ABC News, we had to make editorial decisions about how far to go with the information being posted.

It was a huge national story and there was great public appetite for detail.

Do we report the digital age bomb threat?

There's a long-standing practice in newsrooms that you rarely report a bomb threat.

It's believed that giving perpetrators airtime can feed the feeling of power they seek and encourage copycats, all while fuelling unnecessary public anxiety and disruption at schools and workplaces that were never actually under serious threat.

Some cybersecurity experts I interviewed speculated — and they still do — that the hackers were not sophisticated masterminds but teenagers sitting around in a dark basement getting off on the power of it all.

Were we elevating their authority by giving them headlines?

I thought about this a lot while reporting for weeks on the Medibank hack for the ABC's national business team.

I spoke with several cybersecurity experts, including Professor Richard Buckland, about the ethics of how far we went with the story.

His point to me was that we would not see change in regulation, penalties or culpability by companies who do not secure data adequately, unless the media reported strongly on the worst-case example, which soon became evident was what was developing with Medibank.

"It is in the public's interest to know about the level of cybercrime the world is facing, and to know the lack of preparedness of most Australian organisations," Professor Buckland told me.

And, unlike the fake bomb threat, there was an actual negative impact on people whose data was stolen, even if the media played down the story.

Stolen information posted to the depths of the internet — where it is still sitting in the case of Medibank data — can be re-sold for purposes of identity theft or even open people up to individual blackmail.

At the height of the crisis, we also spoke to international students using Medibank as a healthcare provider because they had been required to do under their visas.

There were concerns for those from countries where being LGBTQIA+ was not legally or culturally acceptable.

They were worried the Medibank data might reveal private gender or sexual orientation identities, and lead to repercussions back home for them and their families.

Learning about the psychology of cyber hacking

However, there was still an element of the bomb threat dance during the Medibank hack.

The hackers confirmed midway through posting the data — on the same forum that they had been using to upload it — that they had asked the ASX-listed company for a ransom in return for the stolen customer data.

Their demand worked out to $US1 per customer, or $US9.7 million dollars ($11.7 million), relative pocket change for an ASX-listed entity worth $7.8 billion.

However, Medibank refused to pay the ransom on the grounds that it would be playing into extortion, without any guarantee that coughing up would get the data back.

The federal government backed this decision and still does.

One specialist I interviewed in the weeks covering this saga specialised in the psychology of cyber-hacking.

Professor Monica Whitty pointed out that the hackers were drip-feeding the release of customer data to cause more harm and keep pushing the company into paying its ransom.

"They may be trying to incite fear to try and change the decision of the company," Ms Whitty said.

"But there's also the second [angle] of, 'Look, we are going to make good with what we promised if you don't give us money'.

"So, then, when they do another attack, maybe they will be more profitable the next time."

There are now calls for reform to make it clearer in law that companies cannot pay a ransom, which some cybersecurity experts say would make Australian entities less of a target going forward.

Professor Whitty was also worried that some sections of the media were reporting the data hack as a breaking story without remembering that there were very real people behind the data.

"These people are victims of cyber hacking and they're not being treated as such," she said.

Medibank did set up help hotlines, including counselling for its customers.

Some I interviewed for ABC News were clearly worried, bordering on distressed, including those international students and people who had undergone procedures that some sections of society still view as taboo, such as those whose data may have appeared in the so-called abortion file.

As I mentioned, I feel no shame at having terminated an unplanned pregnancy but we know there is still some stigma attached to this choice.

As it turned out, the way Medibank's health code captured data about terminated pregnancies also meant that it included people who had done this because the pregnancy was threatening their life or might result in pain and suffering for the baby if it was born.

It also included people who had had the procedure to fix a partial miscarriage or other fertility conditions.

It makes you remember how important it is as a journalist to think before you post sensational headlines.

"I was very pleased to see how restrained the media was in reporting on the personal details of the people the blackmailer was trying to harm," Professor Buckland wrote to me recently.

"It made me proud of our media and values.

"The media coverage I saw had an important impact.

"It sparked public awareness of how dangerous it is for organisations to stockpile our data rather than deleting it or not even collecting it in the first place."

Early this month, after the story died down and the hackers never got what they wanted, they claimed to dump the final documents onto the dark web.

"Added folder full. Case closed," they wrote.

It's unclear if this is actually the case.

Unfortunately, those whose data has been stolen and posted online may spend a long time in quiet suspense.

And cybersecurity experts say we will almost certainly see many similar news stories repeated.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.