Although Medibank initially claimed there was “no evidence that customer data has been accessed”, the public has learned the scale of the breach last Thursday as the Australian Signals Directorate and the AFP started to investigate.
What happened?
On 13 October, Medibank announced that it had halted shares, taken down its budget provider, ahm, and its international student division due to a “cyber incident”.
On the following day, the company announced it had restored systems and was “still responding” to the incident.
Medibank initially emphasised there was “no evidence that customer data has been accessed”.
However last week, Medibank disclosed to the Australian stock exchange that hackers had contacted them to “negotiate” over the future of 200 gigabytes of customer data they claimed had been stolen.
What type of cyberattack occurred?
The Australian reports that a credential broker – a type of criminal that steals and sells credentials – obtained a Medibank login with high level access to the health insurer’s network, then advertised it on a Russian-language forum.
The second criminal bought the data and accessed Medibank to collect information about its structure and function.
Hackers infiltrated Medibank’s system by building a custom tool to steal data in bulk. A zip file with all customer information was created and then moved, alerting Medibank to suspicious activity.
Investigators from the Australian Federal Police and Australian Signals Directorate are still investigating how long the criminal that bought the Medibank login was on the network.
What data was accessed by the threat actors?
Medibank stated that the data is believed to have come from their ahm and international student systems.
The hacker shared a sample of 100 stolen policies for verification. This information contained:
- Names
- Addresses
- Dates of birth
- Medicare numbers
- Phone numbers
- Medical claims documents (including medical diagnoses, procedures, as well as substance abuse and mental health treatment records)
According to Medibank, the attacker also claimed to have “data related to credit card security” but this has yet to be verified.
How many Medibank customers were affected?
The Australian health insurance company has confirmed today that all of its 3.9 million customers have been affected by the cyber-attack.
Hackers begin to leak data
Yesterday, Medibank said the hackers had shared another 1000 ahm customer files, in addition to the 100 sample customers it confirmed last Thursday.
Medibank hack ignites new government legislation
This week, the government is set to introduce new legislation to parliament that greatly increases penalties for companies that fail to secure sensitive data properly.
There will be fines based on whatever represents the greatest cost: $50 million, 30% of the company’s turnover in the relevant period, or three times the benefit gained from the stolen data.
As a result of the new laws, the Australian Information Commissioner would have more power to resolve breaches and increase information sharing with the Australian Communications and Media Authority.
Advice for Medibank customers
In the event of a data breach of this size and scope, it may be difficult for an individual to respond adequately. In most cases, criminals will use this information to take out fake loans or make purchases using credit cards. Monitoring financial information is essential for managing this risk.
The risks of social media platforms can be managed by reviewing security settings, closing old or unused accounts, and being cautious about what is posted. Criminals cannot use contextual information to steal your identity or conduct personalised phishing attacks this way.
