There's been a second major medical platform hack, leaving live patients labelled as dead and people's names changed to Charlie Kirk, the American activist who was shot dead last year – assassinated really. MediMap is widely used across New Zealand. It's often used by the aged care, disability, hospice and community health sectors. It's the second major cyber-attack on medical files and records in recent weeks after Manage My Health was hit at the end of last year, start of this year. Manage My Health's portal systems were compromised over the New Year holiday, putting the data of more than 120,000 users at risk. But it seems the two breaches are vastly different.
Manage My Health was a ransomware attack conducted by a professional hacker, Kazu, not their real name, said they were motivated by notoriety and by profit. And there are thousands like Kazu. Think Roddy Ho in Slow Horses – annoying little geniuses who are completely removed from the rest of the world, who think along a different code, who live a different life. They do it because they can, because they think they're so clever and they want to prove it to their peers. They love showing off their hacking abilities. In some cases, they demand a ransom, in some cases they're motivated by profit, in other cases not. And generally, when the ransom is paid, they're terribly professional, you never hear another word from them. They take the money, they go and hit somebody else. In the case of MediMap, it seems there was a different motivation as Geoffrey Sayer from MediMap told Mike Hosking this morning.
“What people would imagine a cyber hack is, is you've come in and brute forced and you've gone through a vulnerability in the software or the platform. This has not been the case. They've used credentials to come in, for all intents and purposes they look like a regular user, but what they started to do was not what a regular user does, which is why we shut the system down and contained it and are now working with forensic experts and government agencies to understand what's happened and then how do we bring this back online for people. We can trace it to a profile, I suppose is the best way to describe it, but we've subsequently become aware that that profile quite possibly had been compromised with their credentials.”
So it could have been a staff member's kid or partner or just somebody who had access to that code. And we actually were having a discussion before we came on air, I said to the boss because I'd been broadcasting from home for the first two weeks, I said if one of the grandkids was tinkering around on the computer, would they be able to get into the radio station basically and move things around? And he said no, there's about three or four different passwords, but I don't have access to the inner workings. I need to be guided through it anyway and given different passwords at different points. So there could be no accidental hacking of this radio station by anybody at my house.
These are not the first hacks, and they won't be the last. We have to accept that if we want the convenience of living in an online world, we're vulnerable, especially when we are complete tits when it comes to our security. Guess what the most common password is and has been for years? Yep, ‘123456’. Second most common, this is worldwide, not just New Zealand, second most common is ‘password’, third is ‘admin’, fourth is ‘qwerty’, and the fifth is ‘12345678’ – that'll fool them, adding the seven and the eight at the end, hey? I mean you don't even have to be a particularly good hacker to get into most people's computers.
But what if you're scrupulous about your privacy? Sure, there should be tougher penalties for the hackers, but what about those who store our information, who demand it? How many places do we go where even the retail assistants, their KPI is to harvest our email addresses, to get them from us and the more they get, the more they're rewarded. Those who store our information should understand that it's a privilege. They use it. They can make money from it, they can profit from it.
So should companies be held accountable if their security is breached? Should they have to pay some really serious fines so they get really serious about their security? In the case of MediMap, they handled that vastly differently. Different circumstances, but they handled it so much better than Manage My Health. They realised that somebody had access who legitimately got into the computer, to all intents and purposes the computer thought, yep, that's fine, come on in, you're welcome. Then once they started fiddling around, the computer recognised that something was going on that shouldn't be occurring and shut itself down. So different circumstances. But how much onus should be on the companies to protect our data and our information? There are million
Episode Transcript
You're listening to the Carrywood and Mornings podcast from news
Talks HEDB.
Speaker 2 (00:11):
There's been a second major medical platform hack, leaving live
patients labeled as dead and people's names changed to Charlie Kirk,
the American I Suppose activist who was shot dead last
year assassinated really Medimap is widely used across New Zealand.
(00:37):
It's often used by the aged care, disability, hospice, and
community health sectors. It's the second major cyber attack on
medical files and records in recent weeks, after manage my
Health was hit at the end of last year's start
of this year, manage my Health's portal systems were compromised
over the New Year holiday, putting the data of more
(00:59):
than one hundred and twenty thousand users at risk. But
it seems the two breaches are vastly different. Manage my
Health was a ransomware attack conducted by a professional hacker. Kazu,
not their real name, said they were motivated by notoriety
and by profit, and there are thousands like Kazu think
(01:23):
Roddy Hoe and slow horses, annoying little geniuses who are
completely removed from the rest of the world, who think
along a different code who live a different life. They
do it because they can, because they think they're so clever,
and they want to prove it to their peers. They
(01:44):
love showing off their hacking abilities. In some cases they
demand a ransom, In some cases they're motivated by profit
and other cases not. And generally when the ransom is paid,
they're terribly professional. You never hear another word from them.
They take the money, they go in at somebody else.
In the case of medimap, it seems there was a
(02:06):
different motivation. As Jeffrey Sayer from Midimap told Mike Costin this.
Speaker 3 (02:10):
Morning, what people would imagine a cyber hack is is
you've come in brute force and you've gone through a
vulnerability in the software or the platform. This has not
been the case. They've used credentials to come in for
all intent purposes. They look like a regular user, but
what they started to do was not what a regular
user does, which is why we shut the system down
(02:31):
and contained it and are now working with forensic experts
and government or agencies to understand what's happened and then
how do we bring this back online to people We
can trace it to a profile I suppose before describe it.
But we've subsequently have become aware that that profile, quite
possibly it had been compromised with their credentials, so it could.
Speaker 2 (02:53):
Have been a staff member's kid or partner, or just
somebody who had access to that code. We actually we're
having a discussion before we came on here, I said
to the boss, because I've been broadcasting from home for
the first two weeks. Instead, if one of the grand
kids got into, you know, was tinkering around on the computer,
would they be able to get into the radio station
(03:16):
basically and move things around? And he said no, there's
about three or four different passwords before. I don't have
access to the inner workings. I needed to be guided
through it anyway and given different passwords at different points,
so there could be no accidental hacking of this radio
station by anybody at my house. These are not the
(03:41):
first acts, and they won't be the last. We have
to accept that if we want the convenience of living
in an online world, we're vulnerable, especially when we are
complete tits when it comes to our security. Guess what
the most common password is and has been for years
(04:03):
YEP one, two, three, four five, second most common This
is worldwide, not just New Zealand. Second most common is password,
third is admin, fourth is quirty qwerty, and the fifth
is one, two, three, four, five, six, seven eight. That'll
(04:24):
fool them. Adding the seven and the eight at the
end A. I mean, you don't even have to be
a particularly good hacker to get into most people's computers.
But what if you're scrupulous about your privacy? Sure there
should be tougher penalties for the hackers, But what about
those who store our information who demand it? How many
(04:48):
places do we go? We were talking about this just
the other week. We're even you know, the the retail
assistance their KPI is to is to harvest our email addresses,
to get them from us, and and the more they get,
the more they're rewarded. Those who draw our information should
(05:09):
understand that it's a privilege. They use it, they can
make money from it, they can profit from it. So
should companies be held accountable if their security is breached?
Should they have to pay some really serious fines so
they get really serious about their security. And the case
(05:32):
of MEDIMAP, they handled that vastly differently different circumstances, but
they handled it so much better than manage my health.
They realized that somebody had access who legitimately got into
the computer, you know, to all intents and purposes, the
computer thought, yep, that's fine, come on in, You're welcome.
(05:54):
Then once they started fiddling around, the computer recognized that
something was going on that shouldn't be occurring and shut
itself down. So different circumstances. But how much owners should
be on the companies to protect our data and our information?
(06:14):
Should the penalties be much more harsh? And is there
any way of staying offline? And I know some people
up north, fabulous family, and they are pretty much offline.
They do not connect, they don't take the doll they
(06:37):
don't take sickness benefits. They want to live their life
free of inference. But it takes some effort to do that.
To stay offline, to stay as far away as possible
from computers and from government takes a great deal of
(06:59):
effort that I think most of us would not be
able to And even then they're not completely offline. It
takes a huge amount of effort. So how much of
the onus should be on the companies to protect our information?
There are millions of roddy hoes out there all wanting
(07:19):
to show they're the cleverest thing in the whole wide world.
How much should be on us to change our password
and put in basic security protocols? And how can we
stay or limit our presence online? Is there any way
of having our cake and eating it too, to have
(07:39):
the convenience of an online world without basically being laid
bare and naked before the whole wide world.
Speaker 1 (07:49):
For more from carry Wood and Mornings, listen live to
news talks that be from nine am weekdays, or follow
the podcast on iHeartRadio.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Girlfriends: Trust Me Babe
When a group of women from all over the country realise they all dated the same prolific romance scammer they vow to bring him to justice. In this brand new season of global number 1 hit podcast, The Girlfriends, Anna Sinfield meets a group of funny, feisty, determined women who all had the misfortune of dating a mysterious man named Derek Alldred. Trust Me Babe is a story about the protective forces of gossip, gut instinct, and trusting your besties and the group of women who took matters into their own hands to take down a fraudster when no one else would listen. If you’re affected by any of the themes in this show, our charity partners NO MORE have available resources at https://www.nomore.org. To learn more about romance scams, and to access specialised support, visit https://fightcybercrime.org/ The Girlfriends: Trust Me Babe is produced by Novel for iHeartPodcasts. For more from Novel, visit https://novel.audio/. You can listen to new episodes of The Girlfriends: Trust Me Babe completely ad-free and 1 week early with an iHeart True Crime+ subscription, available exclusively on Apple Podcasts. Open your Apple Podcasts app, search for “iHeart True Crime+, and subscribe today!