News: MPL UPDATE 1-Australia's Medibank estimates about $22 mln hit from data breach, page-49

Hi @mama1080,

Yes it is possible that the database(s) were encrypted and passwords (stolen or not) were used. However MPL have not declared that this is the case, even though to do so would be the first line of defence in a damages case.

A reasonable precaution for a systems designer to take is to ensure that only small quantities of data, consistent with immediate usage by a human, are available within a prescribed period of time. The damage done to MPL here is principally because data has been stolen in "commercial quantities". I have designed a system for international criminal surveillance that does not allow even valid logins to access any more than a few records per day. There are "right to know" checks on segments of the database too.

The only way to process large volumes of data securely is to do it via audited and secure scripts (programs) that cannot be started or stopped easily (certainly not by a session started over the internet). Refer @theghostwithin ( post ).

MPL's problem is almost certainly caused by having a vast amount of data created last century that is still required to assess claims, even today. It takes long outage times and considerable expense to convert this un-encrypted data into a complete working safe system.
So why bother encrypting it ?
Answer : Because the costs of doing nothing are not tangible.
That is, until the "failure of security audit" becomes a crime.
Just like driving on the wrong side of the road,
you're still at fault even if no harm is done.

Like the driving habits of the "Toads of Toad Hall" were brought into line over 100 years ago, the same thing will eventually happen on the internet highways.