Medibank, also known as Medibank Private Limited, is one of the largest Australian private health insurance providers. Operating as a publicly-listed company, Medibank offers health insurance services to a significant portion of the Australian population. Medibank has a total customer base of 4 million customers. Medibank faced a cyber attack on its system, leading to a leak of private information of its customers on the dark web.
TIMELINE OF CYBER ATTACK:
- The Medibank hack began with the access of an unknown actor to Medibank’s database which had the credentials of individuals. Medibank discovered some usual activity in its system on October 13, 2022, however; they restarted the system the next day claiming no evidence of data breach.
- On October 17, a malicious party contacted the company to negotiate about the alleged removal of customer data. The party attempted to weaponize the insurance company by mentioning that they would release data of 1k media persons that included bloggers, activists, and politicians, however; the company kept the claim of no evidence of leaked data.
- On October 19, direct contact was made by the hacker claiming to have 200GB worth of data.
- On October 20, it was confirmed that the claims by the hackers were legitimate and Medibank would not pay any ransom as there was a very limited chance of return of stolen data.
- The scope of data breach was revealed on November 7. A day after this the hacker threatened to release the data on the dark web.
- On November 9th, 2022, the hacker also uploaded a file containing the clients’ data marked as “Good list” and “Naughty list” which included the details of treatment of diseases such as HIV, alcohol addiction, drug addiction, and mental health issues. (Powell, 2022)
- On November 10, 2022, on a dark web hacking site ‘BreachForums’ the hacker posted a file labeled “Abortions” in which the details of the procedures that the client asked for were mentioned. The hacker also posted about the ransom mentioning it is $10 million, and after a discount, it is $9.7 million which is 1$ per customer.
COMPROMISED DATA:
The data also included the name, email addresses, phone numbers, Medicare numbers, date of birth, passport numbers, and visa details. (Powell, 2022) The hacker also possessed the next of kin contact details for My Home Hospital patients and health provider information. (Medibank Data Breach Investigation and Complaint, n.d.) The criminal also had access to the data from subsidiaries, such as ahm health insurance, a small health insurance brand owned by the company. However, the company has emphasized that no credit card or banking details were compromised. (Turnbull, 2022)
How Did the Data Breach Occur
Upon gaining access, the malicious actor pinpointed the customer database’s location. Subsequently, they employed the stolen privileged credentials to create a script that automated the process of exfiltrating customer data. The pilfered data was compressed into a zip file and extracted via two pre-existing backdoors. Medibank’s security team reportedly identified suspicious activity and promptly closed both backdoors, although not before 200GB of customer data had been compromised. (Kost, 2023)
Investigation Responses and Legal Actions
The Office of the Australian Information Commissioner (OAIC) initiated an investigation into Medibank’s personal information handling practices following a notifiable data breach. They had to investigate if Medibank took reasonable steps to protect the information they had. Legislation was also passed, following the incident that a business will be fined $50m for repeated breaches. Prior legislation was to be applied to Medibank, as the breach occurred before, resulting in a $2.2m fine. AFP informed that assistance from Interpol will be used to track down the hacker. (Taylor, 2022)
Although Medibank took actions to address the specific control weaknesses, still there were a lot of areas to be focused on to improve security. In response to the surge in cyber intrusions, Australia established an agency in February to oversee government investment and coordinate responses to hacker attacks, thereby enhancing security measures (Jose & Manekar, 2023)
Australia has publicly named a Russian nation Aleksandr Ermakov, an alleged member of the Russian ransomware gang REvil, to be responsible for the attack. It is believed that REvil is also responsible for large attacks on the United States and elsewhere. The stolen data was not only of Australian customers but 1.8 million international customers. (Yeung & Whiteman, 2024)
Impacts
Australia’s banking regulator has directed Medibank (MPL.AX) to allocate an additional A$250 million ($167 million) in capital due to information security vulnerabilities exposed during a significant hacking incident, resulting in a 4.6% decline in shares—the largest intraday drop since late October last year, with current trading at the lowest level since May 3. At least three class action suits were filed against the company.
The leakiness of such sensitive information can discourage people from seeking medical attention. A scammer can threaten a patient about their medical details, also threatening by mentioning the details of the location where patients are seeking medical assistance. Such information being exposed can be distressing and embarrassing for individuals. The risk of phishing scams increases after such a leak. (Turnbull, 2022)
Preventions
To prevent such incidents company should train employees to recognize phishing attacks to safeguard against the most common method of credential theft.
Implementing the principle of least privilege (POLP)—which restricts employee account access to the minimum necessary—should be a standard security policy for all Australian businesses. By prolonging the attack timeline, POLP increases the likelihood of detecting and intercepting breaches, as demonstrated during the Medibank incident. Despite the attackers likely being a ransomware gang, Medibank’s swift action in shutting down backdoors prevented the attack from reaching its encryption phase.
Network segmentation should be done which involves dividing a network into distinct segments or zones to enhance security. When sensitive data resides in a specific zone, connection requests to that area should be routed through a jump server, which acts as a fortified gateway for managing access to sensitive zones, thereby minimizing the risk of compromise. (Kost, What Caused the Medibank Data Breach?, 2023)
Written by Noor Ul Aien
References
- Jose, R., & Manekar, S. (2023, June 27). Australia regulator tells Medibank to set aside $167 million after data breach. Retrieved from Reuters Business: https://www.reuters.com/business/finance/australia-regulator-asks-medibank-set-aside-167-mln-after-data-breach-2023-06-26/
- Kost, E. (2023, May 1). What Caused the Medibank Data Breach? Retrieved from UpGuard: https://www.upguard.com/blog/what-caused-the-medibank-data-breach
- Kost, E. (2023, May 01). What Caused the Medibank Data Breach? Retrieved from UpGuard: https://www.upguard.com/blog/what-caused-the-medibank-data-breach
- Medibank Data Breach Investigation and Complaint. (n.d.). Retrieved from maurice blackburn lawyers.
- Powell, O. (2022, october 11). IOTW: Everything we know about the Medibank data leak. Retrieved from Cshub: https://www.cshub.com/attacks/news/iotw-everything-we-know-about-the-medibank-data-leak
- Taylor, J. (2022). Medibank hackers announce ‘case closed’ and dump huge data file on dark web. The Guardian.
- Turnbull, T. (2022). Medibank: Data stolen from Australia health insurance available online. Sydney: BBC.
- Yeung, J., & Whiteman, H. (2024). Australia sanctions Russian national accused of hacking in Medibank data leak.CNN.