First reported as a cyber incident, the Medibank cyber attack and subsequent data breach has been unfolding for a few months now. The latest is that Medibank has revealed how in fact the whole thing happened.
Here’s how it all began and where we’re up to with the Medibank hack.
Medibank data breach: what happened?
In October, Medibank went public with news that it suffered a cyber incident. Turns out it was a lot worse than Medibank first thought and, with the data on 9.7 million customers caught up in the massive breach.
The private health insurer told shareholders on October 12 it had fallen victim to a ‘cyber incident’. It said that in response to this incident, the organisation took immediate steps to contain it, and engaged specialised cybersecurity firms.
At the time, Medibank said there was no evidence that any sensitive data, including customer data, had been accessed in the cyber attack.
On October 17, it reaffirmed that after ongoing investigations, there was still no evidence customer data had been removed from its IT environment. It also emerged that Medibank was the victim of a ransomware extortion attempt, with the word ‘ransom’ hidden within the organisation’s messaging. But on October 19, things had taken an Optus-like turn.
In a statement issued via the ASX on October 19, Medibank said it has received messages from a group that “wishes to negotiate with the company regarding their alleged removal of customer data”. This negotiation was the hackers threatening to release the private medical information of high-profile Australians if a ransom wasn’t paid.
On October 20, Medibank said the Australian Federal Police was investigating the incident as a crime as data on its customers was confirmed breached. Then, on October 26, Medibank confirmed every one of its customers had their data breached.
However, on November 7, Medibank divulged just how bad things actually were.
“Given the nature of this crime, we now believe that all of the customer data accessed could have been taken by the criminal,” it said.
In a statement issued to the ASX, Medibank said it believed the criminal has accessed the name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives. This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers.
The criminal/s also accessed Medicare numbers (but not expiry dates) for ahm customers, passport numbers (but not expiry dates) and visa details for international student customers and accessed health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers. Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed and around 2,900 next of kin of these patients have had some contact details accessed.
Health provider details, including names, provider numbers and addresses, are among the data accessed in the breach, Medibank said.
Despite this, Medibank said the criminal did not access primary identity documents, such as driver’s licences, for Medibank and ahm resident customers. Credit card and banking details are also apparently safe.
It was on November 7 that Medibank said it wasn’t paying, despite the ramifications.
“No ransom payment will be made to the criminal responsible for this data theft,” the statement reads.
“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” Medibank CEO David Koczkar added.
Then, on November 9, it was confirmed data had been leaked.
The hackers, who claimed to have spent a month rummaging around Medibank’s systems, posted what they’ve called “naughty” and “nice” lists of health records, with the “naughty” list including people who’ve sought treatment for things like addiction and eating disorders. And they claim they’ve only started releasing the stolen information.
The hackers have also published emails they sent and received with Medibank while negotiating over the ransom. The emails, if they’re authentic, show the hackers refusing to name themselves except to say they’re with an “affiliate group.” Security researchers have dubbed the group BlogXX, which is a partial name of the onion address where the stolen data has been published. Oddly enough, the domain used to be run by the Russian-based REvil ransomware gang, though it’s not clear if some of the hackers are the same.
In one of the email exchanges published by the hackers, a representative from Medibank asks how they know the hackers will actually delete the data if they pay the ransom.
“We are doing business, even if it is not legal, and we are worried about our reputation. This is the key to payments,” the response from the hackers reads.
“We are interested in getting money, not destroying your company,” the hackers continued.
Whatever their intention, these hackers behind the cyber attack have now put out Medibank information that could be used to destroy the lives of regular people who may be struggling with any range of mental health and addiction issues.
In the days following Medibank refusing to pay a ransom, the health claims of hundreds of Medibank customers had been posted on the dark web, including claims related to the termination of pregnancy, harmful use of alcohol and treatment for drug use.
It was also revealed back in January that potential health insurance customers who requested quotes with ahm have also been caught up in the data breach.
This week, Medibank added an explanation.
“The criminal accessed our systems using a stolen Medibank username and password used by a third-party IT service provider,” Medibank explained in its half-year financial results.
“The criminal used the stolen credentials to access Medibank’s network through a misconfigured firewall which did not require an additional digital security certificate.”
Medibank said the criminal was able to obtain further usernames and passwords to gain access to a number of Medibank’s systems and that their access was not contained. The company said following the triage of a security alert on October 11, it closed down the criminal’s attack path.
“[We] can reconfirm no further activity by the criminal since 12 October 2022 has been detected inside our systems,” it wrote.
In its financial results, Medibank also noted that the breach has cost it a whopping $26 million, so far, with expectations that number will double by the time the year is out. During the six-month period, the insurer also lost 13,000 policyholders.
AFP points the blame
On November 11, the Australian Federal Police (AFP) made a bold statement, one that attributed the attack to Russia. AFP Commissioner Reece Kershaw declared hackers in Russia were responsible for the Medibank cyber attack.
“This is a crime that has the potential to impact on millions of Australians and damage a significant Australian business,” he said.
“This cyber attack is an unacceptable attack on Australia and it deserves a response that matches the malicious and far-reaching consequences that this crime is causing.”
Kershaw said the AFP is undertaking covert measures and working around the clock with domestic and international partners, including Interpol, to bring those responsible to justice.
“This is important because we believe those responsible for the breach are in Russia,” Kershaw said.
“Our intelligence points to a group of loosely affiliated cyber criminals who are likely responsible for past significant breaches in countries across the world. These cyber criminals are operating like a business.”
Kershaw said the AFP has reason to believe that some affiliates of the business may be operating in other countries, not just Russia.
“We believe we know which individuals are responsible, but I will not be naming them,” he added.
“What I will say is that we will be holding talks with Russian law enforcement about these individuals.”
Kershaw said the AFP was also “scouring the internet and dark web” to find people seeking to profit from this attack.
Medibank hackers declare the ‘case closed’
Medibank in December confirmed that more stolen customer data had been released on the dark web, with the hackers posting the data with a message that read: “Happy Cyber Security Day!!! Added folder full. Case closed.”
The #Medibank hackers have published more data and stated “Case closed.” Whether this means they’ve now released all the data that was stolen, and what they plan to do with any data that hasn’t been released, is unclear. pic.twitter.com/xIUYWPrlll
— Brett Callow (@BrettCallow) November 30, 2022
“We are in the process of analysing the data, but the data released appears to be the data we believed the criminal stole,” Medibank said. “Unfortunately, we expected the criminal to continue to release files on the dark web.”
Medibank Koczkar said while there are reports of this being a signal of ‘case closed’, his company’s work regarding the hack “is not over”.
Neither is that of Australia’s Privacy Commissioner.
OAIC launches official investigation
After announcing it was making preliminary inquiries with Medibank to ensure compliance with the requirements of the Notifiable Data Breaches (NDB) scheme in October, the Office of the Australian Information Commissioner (OAIC) in December commenced an official investigation into the personal information handling practices of Medibank.
The OAIC’s investigation into the hack will focus on whether Medibank took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure. The investigation will also consider whether Medibank took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs). Just like it did with Optus.
If the OAIC’s cyber attack investigation satisfies the Commissioner that an interference with the privacy of individuals has occurred, the Commissioner may make a determination that can include requiring Medibank to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage. If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.
Legal action against Medibank for data breach
Law firms Maurice Blackburn Lawyers, Bannister Law Class Actions and Centennial Lawyers last month joined forces to run the legal action against Medibank, with reports noting the law firms have been investigating compensation claims and say they have registered tens of thousands of Medibank customers.
According to the ABC, the law firms are seeking compensation for Medibank and ahm health insurance customers who had their names, emails, mental health information and other data leaked.
If you or someone you care about needs support, please call LifeLine Australia on 13 11 14. If life is in danger, call 000. Please do NOT call 000 if you are concerned about the Medibank data breach, reach out to Medibank for help on 13 23 31.
This article has been updated since it was first published.