Medibank Shut Down Systems Over the Weekend to Make Security Improvements

Updated on 2022-12-08: Medibank Shut Down Systems Over the Weekend to Make Security Improvements

Over the weekend, Australian health insurance company Medibank took its IT systems offline, closed its branches, and brought in Microsoft’s response team to help them make security improvements. Medibank suffered a cyber security breach in October and is still reeling from the fallout. Customer-facing platforms and IT systems were brought back online on Saturday; retail locations and call centers were scheduled to reopen on Monday. The Office of the Australian Information Commissioner has begun an investigation into Medibank’s data privacy and security practices.

Note

• Medibank has done a few things here. Implemented two-factor, added expanded analytics via a third party (In other words hired a MSP), categorized the data exfiltrated to quantify the use and reporting requirements. When reviewing your shop, make sure that separate accounts are used for administration from end-user activities wherever possible, and make sure you’re MFAing all the users, not skipping admins/VIPs/etc.
• Prior to this, they already made the most important step to raise the bar against attacks: “This follows the recent addition of two-factor authentication in our contact centres,” said Medibank.
• Test your cyber resilience plans before an incident. Use these unfortunate events to motivate your leadership to investigate the data privacy and security practices before a breach. Happy they are doing Lessons Learned and hope they are shared with the public.
• The recovery costs for this breach continue to rise. Additional costs will likely include customer monitoring services; government privacy related fines; and loss of customers given damage to the brand. This makes for an excellent risk management case study for boards weighing cybersecurity costs.

Read more in

• Medibank systems back online after weekend shutdown for security update
• REvil-hit Medibank to pull plug on IT, shore up defenses
• OAIC opens investigation into Medibank over data breach

Updated on 2022-12-02

Hackers behind the Medibank breach leaked the remainder—a compressed file worth 5GB—of the customer data they stole from the healthcare insurer and declared “case closed.” Read more: Medibank hackers announce ‘case closed’ and dump huge data file on dark web

Updated on 2022-12-01: Full Medibank dump

The REvil ransomware gang has released the entire data set the group has stolen from Australian healthcare insurer Medibank. The data was published after the Australian company refused to pay the gang’s extortion demand following a security breach in mid-October. Medibank has officially confirmed the leak of its entire data, which includes the personal and medical information of 9.7 million current and former customers. Read more: Medibank cybercrime update

Updated on 2022-11-18: Shut up, Russia

The Russian government has issued a spunky statement in regards to Australia identifying the Medibank hackers as located in Russia before contacting Russian law enforcement first. For a country that rarely does anything to curb its ginormous cybercrime ecosystem, Russian government officials sure have a lot to be mouthy about.

Russia is taking issue it wasn't notified prior to @AusFedPolice's announcement that it knows who the @medibank ransomware attackers are and that they are in Russia. #auspol #infosec https://t.co/MR8VeMoWiy

— Jeremy Kirk (@[email protected]) (@Jeremy_Kirk) November 11, 2022

Updated on 2022-11-11: Medibank leaks begin

After Medibank said it wouldn’t pay an extortion demand to a ransomware crew that hit its systems last month, the group—tracked as BlogXX—has started leaking the personal data of some of the healthcare provider’s customers. In light of the new development, the Australian Federal Police said it took “immediate measures,” including covert techniques and the scouring of cybercrime sites to identify individuals abusing this data. Read more:

• Medibank: Data stolen from Australia health insurance available online
• Operation Guardian expanded to protect stolen information of Australians

Updated on 2022-11-10

BlogXX ransomware group leaked the health data of 48,000 Medibank customers after the firm refused to pay any ransom. Read more: Medibank won’t pay ransom as more stolen data shows up on dark web

Updated on 2022-11-09: Medibank update

In an update on its data breach disclosure, Australian private health insurance provider Medibank said the personal information of more than 9.7 million Australians was stolen in a ransomware attack last month. The company said it does not plan to pay the threat actor’s ransom demand. A ransomware gang known as BlogXX (believed to be a subgroup of the older REvil gang) took credit for the intrusion and data theft. Read more: Medibank cybercrime update

BlogXX has just added a YouTube video to the Medibank leak post.@medibank @malwrhunterteam @Cyberknow20 @Jeremy_Kirk #cybersecurity #infosec @INTERPOL_HQ https://t.co/vFEBLhupLi

— Dominic Alvieri (@AlvieriD) November 7, 2022

Updated on 2022-11-08

Shortly after Medibank confirmed that the recent breach impacted 9.7 million customers and refused to pay a ransom, the BlogXX/REvil ransomware group is threatening to leak the data. Read more: Ransomware Gang Threatens to Publish Medibank Customer Information

Updated on 2022-11-07: Medibank Will Not Pay Ransom

Australian health insurance form Medibank will not pay a ransom demanded by attackers following a security incident that compromised the sensitive personal information of nearly 10 million customers. Medibank’s CEO said that “extensive advice” suggests that paying the ransom demand would not “ensure the return of our customers’ data [or] prevent it from being published.”

Note

• When paying the extorted ransom, there is not a guarantee that your data won’t surface at a later date, other than the belief that ransomware operators won’t do that to ensure they get paid moving forward. Medibank is assuming all their customer data have been accessed and advising customers accordingly. Two things to keep in mind if you find yourself in this position. First, known compromised companies are at the top of the list for attackers to attempt to “re-compromise” them, so remediation requires not only addressing the entry point but also making sure that you don’t leave any behind; second, your customers are at risk for direct-attacks, whether their data is being used for identity theft or leveraged to make a case for them to pay a ransom directly, in which case you need to support your customers with identity protection and information/support in the event they are targeted.

Read more in

• Breached health insurer won’t pay ransom to protect customers, warns of more attacks
• Ransomware gang threatens to release stolen Medibank data
• Medibank Says No to Paying Hacker’s Extortion Demand
• Medibank cybercrime update (PDF)

Updated on 2022-10-27: Australian Health Insurance Breach Gets Whole of Government Response

The breach at Medibank Private, one of Australia’s largest private health insurance companies, continues to get worse. The government’s response to it, however, is very interesting.

The mid-October incident was initially thought to be a foiled ransomware attempt, but it now turns out that data from all 3.8m Medibank customers (and also former customers) may have been stolen.

https://twitter.com/arielbogle/status/1584694880919748608

The attacker had access to customer data from both Medibank’s AHM and Medibank Insurance brands including personally identifiable data such as names, addresses, dates of birth, medicare numbers and “significant amounts of health claims data”. It is not yet clear how much of this data was stolen, but Medibank says it “we expect that the number of affected customers could grow substantially”.

Medibank did not have cyber insurance and expects that the incident will cost it AUD$25-35m not including “further potential customer and other remediation, regulatory or litigation related costs”. Medibank shares, which had been under a trading halt until yesterday, dropped 18% wiping out about AUD$1.75bn of market value.

Based on our current actions in response to the cybercrime event, noting that Medibank does not have cyber insurance, we currently estimate $25 million-$35 million pre-tax non-recurring costs will impact earnings in 1H23.

— Medibank (@medibank) October 25, 2022

The Australian Financial Review reports that initial investigations have found that the criminals purchased stolen credentials online and somehow bypassed MFA to gain access. The thieves set up two backdoors, then ran custom-built tools to run automated queries to extract data from Medibank databases.

So, a competent but not exceptional operation that wasn’t detected until the data was being exfiltrated. The persons responsible claim to have nabbed 200GB of data! The only saving grace is that Medibank and its CEO have been pretty transparent and have steered clear of calling the hack “sophisticated”. They must have listened when Australia’s cyber security minister slapped down claims that the recent hack of Optus was such.

Medibank is offering a more extensive support package to affected customers than we’ve seen in other breaches, so it looks like the Australian government successfully used the recent Optus breach to set expectations that companies affected by data breaches will cover costs for affected customers. Beyond the standard free identity monitoring this includes financial support for those customers “who are in a uniquely vulnerable position as a result of this crime”, mental health and wellbeing support, and reimbursement of fees for new identity documents. Medibank has also deferred premium increases by a couple of months.

This response has (so far) kept Medibank out of the government’s crosshairs, with Cyber Security Minister Clair O’Neil describing the Medibank breach as a horrendous criminal “dog act”.

But the government is not letting Medibank deal with this by itself. O’Neil has invoked the National Coordination Mechanism, a crisis response mechanism set up to deal with the complexities of the Covid pandemic, to coordinate a whole-of-government response. Agencies responding to the breach include the Australian Signals Directorate, the Australian Federal Police, Services Australia and the Department of Health, and we are pleased to see that some hounds have actually been released.

“I want to thank the Australian Signals Directorate and the Australian Federal Police on the intensive work that is underway to hunt down the attacker, they are undertaking a very significant operation,” O’Neil said.

This afternoon in Parliament I gave an update on the Medibank cyber incident.

The Australian Government is working round the clock to protect Medibank customers and their privacy.#QT pic.twitter.com/ZijzI2q1SH

— Clare O'Neil MP (@ClareONeilMP) October 25, 2022

We’ve never seen a response like this in Australia, so it’ll be interesting to see what such a comprehensive mobilisation of government resources can achieve.

Beyond the steps taken to coordinate a whole of government response and future strengthening of the Privacy Act (see Reasons to be Cheerful #1, below), another initiative we’d like to see is public reports into significant breaches, similar to the log4j report produced by the US Cyber Safety Review Board. The Office of the Australian Information Commissioner has announced it will investigate the Optus breach, so it would be good to see a public report on its findings.

Updated on 2022-10-26: More Medibank Breach Details Emerge

Australian insurance provider Medibank now says that a data breach disclosed earlier this month compromised personal information of all 4 million customers. The compromised data include claims details. Medibank said that it does not have insurance for cyber incidents and that it expects costs associated with the breach to total between AU$25 million and AU$35 million ($16M to $22.4M) over the next six months.

Note

• This is a great example of what cyber insurance can do for an organisation. Cyber insurance won’t prevent an attack, nor will it by itself reduce the technical risks you may face, however it does help you cover the financial risk from a cybersecurity breach.
• Before casting doubts on being self-insured, check with your insurance providers to make sure you understand what sorts of incidents are _NOT_ covered. You may find you’ve got a gap you didn’t anticipate. In addition to the fines above, Medibank is also expected to have large regulatory fines. Take note of the support Medibank is providing to customers, statements about impact as well as operational status to include financial impact and investor briefings. Are you prepared to be this transparent in a breach as well as provide your customers with this level of support? Double check that at the highest levels.

Read more in

• Health insurer Medibank’s data breach diagnosis keeps getting worse
• Medibank now says hackers accessed all its customers’ personal data
• Medibank cybercrime, business and FY23 outlook update (PDF)

Updated on 2022-10-25

Medibank confirmed that the recent data breach compromised the personal and health data of all of its 3.9 million customers, causing a potential financial impact of $25–$35 million. Read more: Data Breach at Australian Health Insurer Impacts 4 Million Customers; Could Cost $35M

Updated on 2022-10-20: MediBank Says Patient Data Were Compromised

Australian health insurance company MediBank now says that patient data were stolen in a breach that was disclosed earlier this month. The exfiltrated information includes Medicare and policy numbers, treatment location data, and codes related to diagnoses and procedures. The breach is being investigated by the Australian Federal Police.

Note

• Medibank is being very transparent here. Take note of some of the recovery actions which include creating and redirecting staff to answer their cyber response hotline, halting trading of Medibank shares, as well as publishing what data elements they have verified versus which elements the attackers claim to have. Consider adding similar actions to your incident response plan.

Read more in

• Medibank cyber incident response (PDF)
• Health insurer’s infosec incident diagnosis goes from ‘take a chill pill’ to emergency ward
• Australian Health Insurer Medibank Admits Customer Data Stolen in Ransomware Attack
• Australia’s Data Breach Debacle Expands

Updated on 2022-10-19

An unknown hacker group claimed to have stolen 200GB of data from Medibank and threatened to leak the private information of high-profile Australians if a ransom isn’t paid. Read more: Medibank hackers threaten to release stolen health data in ransom demand

Updated on 2022-10-18

Australian insurance company Medibank confirmed that the disruption of online services was caused by a ransomware attack. It claimed that no systems were encrypted. Read more: Australian Insurer Medibank Says Incident Was Ransomware

Updated on 2022-10-13

Australian private medical insurer Medibank has acknowledged that it was the victim of a cyber intrusion and data compromise. In an update, Medibank writes, “we … have successfully taken offline the ahm and international student policy systems and its data, and we are in the process of methodically and safely restarting the systems.”

Note

• Medibank has set up a status page with information and updates for customers (first link below) and has sent over 2.8 million email and text messages (where preferred) to Medibank and ahm customers. They have engaged the Australian Cyber Security Centre, regulators, and others to assist with the agency and comms. Keep an eye on the status page as things progress and services are restored.

Read more in

• Cyber incident update
• Medibank restores services as experts warn of backlash
• Insurer Medibank hit by targeted cyberattack

Overview

Medibank Private identified a security incident, forcing the Australian health insurer to isolate and remove access to some customer-facing systems. Read more: Australia’s Medibank reports cyber incident, shares on trading halt