The federal government has left the door open to new laws that would make it illegal for companies to pay ransoms to hackers.
But cyber security minister Clare O’Neil has denied she’s softened her stance since the Optus breach, insisting both the telco and Medibank needed to “do better”.
More than 9.7m Australians have had their personal data breached after the credentials of someone with high-level access to the health insurers systems were obtained and then sold to hackers on a Russian cybercriminal forum.
The hackers, who have been releasing customer data on a dark web blog linked to the REVil Russian ransomware group, had sought $US10m ($A15.1m) from Medibank to prevent the leak.
But on advice from the Australian Federal Police and the government, the health insurer refused to pay up.
Speaking on Sunday, Ms O’Neil confirmed she was considering changes that would make it illegal for organisations to pay ransoms.
“I think it is pretty clear that Medibank were right not to pay the ransom because I have never seen people that lack a moral code so clearly than the hackers,” she told ABC’s Insiders.
“I think that was the right decision. And we are standing strong as a country against this. We don‘t want to fuel that business model and that’s what happens when ransoms are paid.”
The government will first look at a number of “quick win” reforms before tackling the “big policy questions” which would require consultations.
After Optus was hacked last month, Ms O’Neil was quick to lash the telco for their handling of the attack, which she claimed at the time was “not sophisticated”.
Asked to address similar concerns with the Medibank hack, the minister declined to “provide a running commentary” and did not accept “there was any difference in tone”.
“I am very direct about how I communicate with these things. I have been direct in my discussion with Medibank and Optus,” Ms O’Neil said.
“I‘ve made it clear that I don’t think the defences were where they needed to be but I say again, we have got to come at this conversation with a bit of humility here. Government has to step up to the plate too. This is a whole nation effort.
“I have said pretty clearly that both companies needed to do better.”
It comes after the government warned the Russian criminals accused of the hack to expect an Australian counteroffensive.
Around 100 officers from the Australian Federal Police will form a new permanent joint operation with the Australian Signals Directorate, to target online criminals.
The operation will collect intelligence and identify ringleaders, networks and infrastructure in order to disrupt and stop their operations.