Skip to Content

Medibank Will Not Pay Ransom

Updated on 2022-11-18: Shut up, Russia

The Russian government has issued a spunky statement in regards to Australia identifying the Medibank hackers as located in Russia before contacting Russian law enforcement first. For a country that rarely does anything to curb its ginormous cybercrime ecosystem, Russian government officials sure have a lot to be mouthy about.

Updated on 2022-11-11: Medibank leaks begin

After Medibank said it wouldn’t pay an extortion demand to a ransomware crew that hit its systems last month, the group—tracked as BlogXX—has started leaking the personal data of some of the healthcare provider’s customers. In light of the new development, the Australian Federal Police said it took “immediate measures,” including covert techniques and the scouring of cybercrime sites to identify individuals abusing this data. Read more:

Updated on 2022-11-10

BlogXX ransomware group leaked the health data of 48,000 Medibank customers after the firm refused to pay any ransom. Read more: Medibank won’t pay ransom as more stolen data shows up on dark web

Updated on 2022-11-09: Medibank update

In an update on its data breach disclosure, Australian private health insurance provider Medibank said the personal information of more than 9.7 million Australians was stolen in a ransomware attack last month. The company said it does not plan to pay the threat actor’s ransom demand. A ransomware gang known as BlogXX (believed to be a subgroup of the older REvil gang) took credit for the intrusion and data theft. Read more: Medibank cybercrime update

Updated on 2022-11-08

Shortly after Medibank confirmed that the recent breach impacted 9.7 million customers and refused to pay a ransom, the BlogXX/REvil ransomware group is threatening to leak the data. Read more: Ransomware Gang Threatens to Publish Medibank Customer Information

Updated on 2022-11-07: Medibank Will Not Pay Ransom

Australian health insurance form Medibank will not pay a ransom demanded by attackers following a security incident that compromised the sensitive personal information of nearly 10 million customers. Medibank’s CEO said that “extensive advice” suggests that paying the ransom demand would not “ensure the return of our customers’ data [or] prevent it from being published.”

Note

  • When paying the extorted ransom, there is not a guarantee that your data won’t surface at a later date, other than the belief that ransomware operators won’t do that to ensure they get paid moving forward. Medibank is assuming all their customer data have been accessed and advising customers accordingly. Two things to keep in mind if you find yourself in this position. First, known compromised companies are at the top of the list for attackers to attempt to “re-compromise” them, so remediation requires not only addressing the entry point but also making sure that you don’t leave any behind; second, your customers are at risk for direct-attacks, whether their data is being used for identity theft or leveraged to make a case for them to pay a ransom directly, in which case you need to support your customers with identity protection and information/support in the event they are targeted.

Read more in

Updated on 2022-10-27: Australian Health Insurance Breach Gets Whole of Government Response

The breach at Medibank Private, one of Australia’s largest private health insurance companies, continues to get worse. The government’s response to it, however, is very interesting.

The mid-October incident was initially thought to be a foiled ransomware attempt, but it now turns out that data from all 3.8m Medibank customers (and also former customers) may have been stolen.

https://twitter.com/arielbogle/status/1584694880919748608

The attacker had access to customer data from both Medibank’s AHM and Medibank Insurance brands including personally identifiable data such as names, addresses, dates of birth, medicare numbers and “significant amounts of health claims data”. It is not yet clear how much of this data was stolen, but Medibank says it “we expect that the number of affected customers could grow substantially”.

Medibank did not have cyber insurance and expects that the incident will cost it AUD$25-35m not including “further potential customer and other remediation, regulatory or litigation related costs”. Medibank shares, which had been under a trading halt until yesterday, dropped 18% wiping out about AUD$1.75bn of market value.

The Australian Financial Review reports that initial investigations have found that the criminals purchased stolen credentials online and somehow bypassed MFA to gain access. The thieves set up two backdoors, then ran custom-built tools to run automated queries to extract data from Medibank databases.

So, a competent but not exceptional operation that wasn’t detected until the data was being exfiltrated. The persons responsible claim to have nabbed 200GB of data! The only saving grace is that Medibank and its CEO have been pretty transparent and have steered clear of calling the hack “sophisticated”. They must have listened when Australia’s cyber security minister slapped down claims that the recent hack of Optus was such.

Medibank is offering a more extensive support package to affected customers than we’ve seen in other breaches, so it looks like the Australian government successfully used the recent Optus breach to set expectations that companies affected by data breaches will cover costs for affected customers. Beyond the standard free identity monitoring this includes financial support for those customers “who are in a uniquely vulnerable position as a result of this crime”, mental health and wellbeing support, and reimbursement of fees for new identity documents. Medibank has also deferred premium increases by a couple of months.

This response has (so far) kept Medibank out of the government’s crosshairs, with Cyber Security Minister Clair O’Neil describing the Medibank breach as a horrendous criminal “dog act”.

But the government is not letting Medibank deal with this by itself. O’Neil has invoked the National Coordination Mechanism, a crisis response mechanism set up to deal with the complexities of the Covid pandemic, to coordinate a whole-of-government response. Agencies responding to the breach include the Australian Signals Directorate, the Australian Federal Police, Services Australia and the Department of Health, and we are pleased to see that some hounds have actually been released.

“I want to thank the Australian Signals Directorate and the Australian Federal Police on the intensive work that is underway to hunt down the attacker, they are undertaking a very significant operation,” O’Neil said.

We’ve never seen a response like this in Australia, so it’ll be interesting to see what such a comprehensive mobilisation of government resources can achieve.

Beyond the steps taken to coordinate a whole of government response and future strengthening of the Privacy Act (see Reasons to be Cheerful #1, below), another initiative we’d like to see is public reports into significant breaches, similar to the log4j report produced by the US Cyber Safety Review Board. The Office of the Australian Information Commissioner has announced it will investigate the Optus breach, so it would be good to see a public report on its findings.

Updated on 2022-10-26: More Medibank Breach Details Emerge

Australian insurance provider Medibank now says that a data breach disclosed earlier this month compromised personal information of all 4 million customers. The compromised data include claims details. Medibank said that it does not have insurance for cyber incidents and that it expects costs associated with the breach to total between AU$25 million and AU$35 million ($16M to $22.4M) over the next six months.

Note

  • This is a great example of what cyber insurance can do for an organisation. Cyber insurance won’t prevent an attack, nor will it by itself reduce the technical risks you may face, however it does help you cover the financial risk from a cybersecurity breach.
  • Before casting doubts on being self-insured, check with your insurance providers to make sure you understand what sorts of incidents are _NOT_ covered. You may find you’ve got a gap you didn’t anticipate. In addition to the fines above, Medibank is also expected to have large regulatory fines. Take note of the support Medibank is providing to customers, statements about impact as well as operational status to include financial impact and investor briefings. Are you prepared to be this transparent in a breach as well as provide your customers with this level of support? Double check that at the highest levels.

Read more in

Updated on 2022-10-25

Medibank confirmed that the recent data breach compromised the personal and health data of all of its 3.9 million customers, causing a potential financial impact of $25–$35 million. Read more: Data Breach at Australian Health Insurer Impacts 4 Million Customers; Could Cost $35M

Updated on 2022-10-20: MediBank Says Patient Data Were Compromised

Australian health insurance company MediBank now says that patient data were stolen in a breach that was disclosed earlier this month. The exfiltrated information includes Medicare and policy numbers, treatment location data, and codes related to diagnoses and procedures. The breach is being investigated by the Australian Federal Police.

Note

  • Medibank is being very transparent here. Take note of some of the recovery actions which include creating and redirecting staff to answer their cyber response hotline, halting trading of Medibank shares, as well as publishing what data elements they have verified versus which elements the attackers claim to have. Consider adding similar actions to your incident response plan.

Read more in

Updated on 2022-10-19

An unknown hacker group claimed to have stolen 200GB of data from Medibank and threatened to leak the private information of high-profile Australians if a ransom isn’t paid. Read more: Medibank hackers threaten to release stolen health data in ransom demand

Updated on 2022-10-18

Australian insurance company Medibank confirmed that the disruption of online services was caused by a ransomware attack. It claimed that no systems were encrypted. Read more: Australian Insurer Medibank Says Incident Was Ransomware

Updated on 2022-10-13

Australian private medical insurer Medibank has acknowledged that it was the victim of a cyber intrusion and data compromise. In an update, Medibank writes, “we … have successfully taken offline the ahm and international student policy systems and its data, and we are in the process of methodically and safely restarting the systems.”

Note

  • Medibank has set up a status page with information and updates for customers (first link below) and has sent over 2.8 million email and text messages (where preferred) to Medibank and ahm customers. They have engaged the Australian Cyber Security Centre, regulators, and others to assist with the agency and comms. Keep an eye on the status page as things progress and services are restored.

Read more in

Overview

Medibank Private identified a security incident, forcing the Australian health insurer to isolate and remove access to some customer-facing systems. Read more: Australia’s Medibank reports cyber incident, shares on trading halt

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.