Hacking group threatens to on-sell Medibank data

Medibank data hack

Australia’s largest health insurer, Medibank, has reportedly been contacted by a hacking group threatening to on-sell highly sensitive customer data captured during a suspected ransomware attack last week.

The health insurance group, which also includes the ahm brand, said it is working urgently to establish whether the claim by the hacking group is true. In its initial investigations into the breach, Medibank found that no customer data had been stolen.

“[Based] on our ongoing forensic investigation we are treating the matter seriously at this time,” the group said in a follow-up statement.

While it is yet to determine whether any data was in fact stolen, Medibank once again confirmed that its systems were not encrypted by ransomware.

In response to the threat by the hackers to expose the data, the health insurer announced to the ASX that it has entered into a trading halt “to ensure that it meets its continuous disclosure obligations”.

While Medibank is yet to disclose full details of the threat made against it, Nine Entertainment-owned mastheads the Sydney Morning Herald and The Age have reportedly sighted a message from the hacking group which claims it has in its possession 200 gigabytes of confidential data taken from the insurer’s network, including health conditions and diagnoses of individual customers as well as their credit card details.

The hackers have also threatened to disclose sensitive details of 1,000 of the most prominent individuals (referred to as “media persons” in the message) captured in the supposed data hack.

Systems restored after breach incident

On Monday 17 October, Medibank announced that it had successfully restored its IT systems and resumed “normal activity” following a suspected ransomware breach of its corporate network.

Affected Medibank systems were restored on “new IT infrastructure”, the insurer confirmed in a statement, with “normal activity” resuming on Friday (14 October).

The health insurance group on Thursday released a statement stating that it had detected “unusual activity” on its network the previous day; in an effort to isolate the breach, Medibank moved to “temporarily block and isolate access” to its ahm and international student customer policy management systems.

The resulting action prevented customers and staff from accessing policy data. These systems were, however, still accessible via Medibank’s phone service.

The company added that it had engaged specialised cybersecurity firms to help contain the breach and prevent data from being leaked.

Medibank stressed that the shutdown was “done out of an abundance of caution”, ensuring it could “provide additional protection of customer data on that system” as well as effectively investigate the breach.

“The company took the precautionary action to temporarily block and isolate access to the ahm and international student customer policy management systems while the activity was investigated.”

An investigation into the breach – which Medibank notes is still ongoing – found that its cybersecurity systems had identified “activity consistent with the precursor to a ransomware event”.

Medibank confirmed that its systems “were not encrypted by ransomware during this incident and there is no indication that the incident was caused by a state-based threat actor”.

While the investigation continues, Medibank hastened to stress that there is no evidence customer data has been removed from its network; the insurer said it is working with the Australian Cyber Security Centre (ACSC) to provide additional guidance and support.

Medibank chief executive David Koczkar in a statement acknowledged the systems shutdown may “have caused concerns and inconvenience” for some customers.

“We took the necessary precautions to protect the data of our customers, people and other stakeholders, and we will continue to do so,” he said.

“We take the protection of our customers’ data very seriously and ongoing investigations continue to show no evidence customer data has been removed from our network. We will provide updates if the situation changes.

He added: “We will also share technical information with peers across the industry as part of our commitment to helping others understand how this incident transpired and to allow our industry peers to bolster their own defences.”

Medibank said it has also deployed additional security measures across its network to strengthen the integrity of its systems.

The alleged data breach of the health insurer follows a spate of major data loss events reported by Australian firms, including the massive Optus breach – among the largest data loss events in Australian corporate history, which was found, ultimately, to be the result of a publicly visible API.

Woolworths-owned online retailer, MyDeal (with 2.2 million customers impacted) and wine retailer Vinomofo are also reported to have been subject to significant data hacks over the last week.