Updated on 2022-11-18: Shut up, Russia
The Russian government has issued a spunky statement in regards to Australia identifying the Medibank hackers as located in Russia before contacting Russian law enforcement first. For a country that rarely does anything to curb its ginormous cybercrime ecosystem, Russian government officials sure have a lot to be mouthy about.
Russia is taking issue it wasn't notified prior to @AusFedPolice's announcement that it knows who the @medibank ransomware attackers are and that they are in Russia. #auspol #infosec https://t.co/MR8VeMoWiy
Updated on 2022-11-11: Medibank leaks begin
After Medibank said it wouldn’t pay an extortion demand to a ransomware crew that hit its systems last month, the group—tracked as BlogXX—has started leaking the personal data of some of the healthcare provider’s customers. In light of the new development, the Australian Federal Police said it took “immediate measures,” including covert techniques and the scouring of cybercrime sites to identify individuals abusing this data. Read more:
- Medibank: Data stolen from Australia health insurance available online
- Operation Guardian expanded to protect stolen information of Australians
Updated on 2022-11-10
BlogXX ransomware group leaked the health data of 48,000 Medibank customers after the firm refused to pay any ransom. Read more: Medibank won’t pay ransom as more stolen data shows up on dark web
Updated on 2022-11-09: Medibank update
In an update on its data breach disclosure, Australian private health insurance provider Medibank said the personal information of more than 9.7 million Australians was stolen in a ransomware attack last month. The company said it does not plan to pay the threat actor’s ransom demand. A ransomware gang known as BlogXX (believed to be a subgroup of the older REvil gang) took credit for the intrusion and data theft. Read more: Medibank cybercrime update
— Dominic Alvieri (@AlvieriD) November 7, 2022
Updated on 2022-11-08
Shortly after Medibank confirmed that the recent breach impacted 9.7 million customers and refused to pay a ransom, the BlogXX/REvil ransomware group is threatening to leak the data. Read more: Ransomware Gang Threatens to Publish Medibank Customer Information
Updated on 2022-11-07: Medibank Will Not Pay Ransom
Australian health insurance form Medibank will not pay a ransom demanded by attackers following a security incident that compromised the sensitive personal information of nearly 10 million customers. Medibank’s CEO said that “extensive advice” suggests that paying the ransom demand would not “ensure the return of our customers’ data [or] prevent it from being published.”
- When paying the extorted ransom, there is not a guarantee that your data won’t surface at a later date, other than the belief that ransomware operators won’t do that to ensure they get paid moving forward. Medibank is assuming all their customer data have been accessed and advising customers accordingly. Two things to keep in mind if you find yourself in this position. First, known compromised companies are at the top of the list for attackers to attempt to “re-compromise” them, so remediation requires not only addressing the entry point but also making sure that you don’t leave any behind; second, your customers are at risk for direct-attacks, whether their data is being used for identity theft or leveraged to make a case for them to pay a ransom directly, in which case you need to support your customers with identity protection and information/support in the event they are targeted.
Read more in
- Breached health insurer won’t pay ransom to protect customers, warns of more attacks
- Ransomware gang threatens to release stolen Medibank data
- Medibank Says No to Paying Hacker’s Extortion Demand
- Medibank cybercrime update (PDF)
Updated on 2022-10-27: Australian Health Insurance Breach Gets Whole of Government Response
The breach at Medibank Private, one of Australia’s largest private health insurance companies, continues to get worse. The government’s response to it, however, is very interesting.
The attacker had access to customer data from both Medibank’s AHM and Medibank Insurance brands including personally identifiable data such as names, addresses, dates of birth, medicare numbers and “significant amounts of health claims data”. It is not yet clear how much of this data was stolen, but Medibank says it “we expect that the number of affected customers could grow substantially”.
Medibank did not have cyber insurance and expects that the incident will cost it AUD$25-35m not including “further potential customer and other remediation, regulatory or litigation related costs”. Medibank shares, which had been under a trading halt until yesterday, dropped 18% wiping out about AUD$1.75bn of market value.
Based on our current actions in response to the cybercrime event, noting that Medibank does not have cyber insurance, we currently estimate $25 million-$35 million pre-tax non-recurring costs will impact earnings in 1H23.
— Medibank (@medibank) October 25, 2022
The Australian Financial Review reports that initial investigations have found that the criminals purchased stolen credentials online and somehow bypassed MFA to gain access. The thieves set up two backdoors, then ran custom-built tools to run automated queries to extract data from Medibank databases.
So, a competent but not exceptional operation that wasn’t detected until the data was being exfiltrated. The persons responsible claim to have nabbed 200GB of data! The only saving grace is that Medibank and its CEO have been pretty transparent and have steered clear of calling the hack “sophisticated”. They must have listened when Australia’s cyber security minister slapped down claims that the recent hack of Optus was such.
Medibank is offering a more extensive support package to affected customers than we’ve seen in other breaches, so it looks like the Australian government successfully used the recent Optus breach to set expectations that companies affected by data breaches will cover costs for affected customers. Beyond the standard free identity monitoring this includes financial support for those customers “who are in a uniquely vulnerable position as a result of this crime”, mental health and wellbeing support, and reimbursement of fees for new identity documents. Medibank has also deferred premium increases by a couple of months.
This response has (so far) kept Medibank out of the government’s crosshairs, with Cyber Security Minister Clair O’Neil describing the Medibank breach as a horrendous criminal “dog act”.
But the government is not letting Medibank deal with this by itself. O’Neil has invoked the National Coordination Mechanism, a crisis response mechanism set up to deal with the complexities of the Covid pandemic, to coordinate a whole-of-government response. Agencies responding to the breach include the Australian Signals Directorate, the Australian Federal Police, Services Australia and the Department of Health, and we are pleased to see that some hounds have actually been released.
“I want to thank the Australian Signals Directorate and the Australian Federal Police on the intensive work that is underway to hunt down the attacker, they are undertaking a very significant operation,” O’Neil said.
This afternoon in Parliament I gave an update on the Medibank cyber incident.
— Clare O'Neil MP (@ClareONeilMP) October 25, 2022
We’ve never seen a response like this in Australia, so it’ll be interesting to see what such a comprehensive mobilisation of government resources can achieve.
Beyond the steps taken to coordinate a whole of government response and future strengthening of the Privacy Act (see Reasons to be Cheerful #1, below), another initiative we’d like to see is public reports into significant breaches, similar to the log4j report produced by the US Cyber Safety Review Board. The Office of the Australian Information Commissioner has announced it will investigate the Optus breach, so it would be good to see a public report on its findings.
Updated on 2022-10-26: More Medibank Breach Details Emerge
Australian insurance provider Medibank now says that a data breach disclosed earlier this month compromised personal information of all 4 million customers. The compromised data include claims details. Medibank said that it does not have insurance for cyber incidents and that it expects costs associated with the breach to total between AU$25 million and AU$35 million ($16M to $22.4M) over the next six months.
- This is a great example of what cyber insurance can do for an organisation. Cyber insurance won’t prevent an attack, nor will it by itself reduce the technical risks you may face, however it does help you cover the financial risk from a cybersecurity breach.
- Before casting doubts on being self-insured, check with your insurance providers to make sure you understand what sorts of incidents are _NOT_ covered. You may find you’ve got a gap you didn’t anticipate. In addition to the fines above, Medibank is also expected to have large regulatory fines. Take note of the support Medibank is providing to customers, statements about impact as well as operational status to include financial impact and investor briefings. Are you prepared to be this transparent in a breach as well as provide your customers with this level of support? Double check that at the highest levels.
Read more in
- Health insurer Medibank’s data breach diagnosis keeps getting worse
- Medibank now says hackers accessed all its customers’ personal data
- Medibank cybercrime, business and FY23 outlook update (PDF)
Updated on 2022-10-25
Medibank confirmed that the recent data breach compromised the personal and health data of all of its 3.9 million customers, causing a potential financial impact of $25–$35 million. Read more: Data Breach at Australian Health Insurer Impacts 4 Million Customers; Could Cost $35M
Updated on 2022-10-20: MediBank Says Patient Data Were Compromised
Australian health insurance company MediBank now says that patient data were stolen in a breach that was disclosed earlier this month. The exfiltrated information includes Medicare and policy numbers, treatment location data, and codes related to diagnoses and procedures. The breach is being investigated by the Australian Federal Police.
- Medibank is being very transparent here. Take note of some of the recovery actions which include creating and redirecting staff to answer their cyber response hotline, halting trading of Medibank shares, as well as publishing what data elements they have verified versus which elements the attackers claim to have. Consider adding similar actions to your incident response plan.
Read more in
- Medibank cyber incident response (PDF)
- Health insurer’s infosec incident diagnosis goes from ‘take a chill pill’ to emergency ward
- Australian Health Insurer Medibank Admits Customer Data Stolen in Ransomware Attack
- Australia’s Data Breach Debacle Expands
Updated on 2022-10-19
An unknown hacker group claimed to have stolen 200GB of data from Medibank and threatened to leak the private information of high-profile Australians if a ransom isn’t paid. Read more: Medibank hackers threaten to release stolen health data in ransom demand
Updated on 2022-10-18
Australian insurance company Medibank confirmed that the disruption of online services was caused by a ransomware attack. It claimed that no systems were encrypted. Read more: Australian Insurer Medibank Says Incident Was Ransomware
Updated on 2022-10-13
Australian private medical insurer Medibank has acknowledged that it was the victim of a cyber intrusion and data compromise. In an update, Medibank writes, “we … have successfully taken offline the ahm and international student policy systems and its data, and we are in the process of methodically and safely restarting the systems.”
- Medibank has set up a status page with information and updates for customers (first link below) and has sent over 2.8 million email and text messages (where preferred) to Medibank and ahm customers. They have engaged the Australian Cyber Security Centre, regulators, and others to assist with the agency and comms. Keep an eye on the status page as things progress and services are restored.
Read more in
- Cyber incident update
- Medibank restores services as experts warn of backlash
- Insurer Medibank hit by targeted cyberattack
Medibank Private identified a security incident, forcing the Australian health insurer to isolate and remove access to some customer-facing systems. Read more: Australia’s Medibank reports cyber incident, shares on trading halt