Medibank data breach: More customers affected, attacker got in via stolen credentials

Australian private health insurance provider Medibank has revealed that the hack and data breach it discovered over two weeks ago has affected more customers than initially thought.

Medibank breach customers affected

“We have received a series of additional files from the criminal. We have been able to determine that this includes: a copy of the file received last week containing 100 ahm policy records (including personal and health claims data); a file of a further 1,000 ahm policy records (including personal and health claims data); and files which contain some Medibank and additional ahm and international student customer data,” the company said.

“It has become clear that the criminal has taken data that now includes Medibank customer data, in addition to that of ahm and international student customers.”

More customers affected

According to The Guardian, Medibank is working under the assumption that all its customers have been affected, including past ones (as they have a legal obligation to keep those records for seven years).

The company did not say whether they are considering paying the ransom, but they are putting in place services and offerings to support their customers in case the stolen data is leaked by the attacker.

These include financial support for especially vulnerable customers, a mental health and wellbeing support line for all customers, access to specialist identity protection advice and resources, free identity monitoring services for customers who have had their primary ID compromised, and reimbursement of fees for re-issue of identity documents that have been fully compromised.

It has set up specialized team to help customers that have received scammy emails or threats as a consequence of this hack, and is “also working with all Australian banks and relevant government departments to help them take additional steps to increase monitoring of affected customers accounts.”

Affected customers will be contacted by Medibank directly but the company made sure to point out that they “will never contact customers requesting passwords or other sensitive information.”

Do we know more about how Medibank was hacked?

“This is a malicious attack that has been committed by criminals with a view of causing maximum fear and damage, especially to the most vulnerable members of our community,” said Medibank CEO David Koczkar.

“We continue to work closely with the agencies of the Federal Government, including the ongoing criminal investigation into this matter. We thank them for their ongoing support and assistance.”

While Medibank has yet to officially confim it, it seems that the attacker got into their network by buying stolen access credentials from a Russian-language cybercrime forum.

After gaining access, the attacker performed reconnaissance, deployed two backdoors, and exfiltrated customer data by using a bespoke data exfiltration tool. The name of the ransomware that the attacker meant to use has yet to be revealed.

The one thing that’s clear, though, is that Medibank has been carrying out cybersecurity crisis communication as it should be done.

UPDATE (October 27, 2022, 06:10 a.m. ET):

Medibank has now confirmed that thh criminal had access to all ahms, international student, and Medibank customers’ personal data and significant amounts of health claims data.

Also, that the criminal has accessed patient information relating to My Home Hospital – “a joint venture between Calvary and Medibank on behalf of Wellbeing SA and the South Australian Government.”

“We have evidence that the criminal has removed some of our customers’ personal and health claims data and it is now likely that the criminal has stolen further personal and health claims data. As a result, we expect that the number of affected customers could grow substantially,” the company said.

Ransomware has not been deployed on the company’s IT systems.

“Based on our current actions in response to the cybercrime event, noting that Medibank does not have cyber insurance, we currently estimate $25 million-$35 million pre-tax non-recurring costs will impact earnings in 1H23. These non-recurring costs do not include further potential customer and other remediation, regulatory or litigation related costs,” they added.

Don't miss