First reported as a cyber incident, the Medibank cyber attack and subsequent data breach has been unfolding for a month now. We’ve heard updates almost daily, but on November 11, the Australian Federal Police made a bold statement, one that attributed the attack to Russia.
Medibank customers this week found out that their stolen health records were publicly released on the dark web. The leak followed a threat by hackers 24 hours earlier to do precisely that.
Before leaking the extremely personal information on many Australians, the hackers demanded a ransom from Medibank, one which the company (rightfully so) refused to pay.
In a press conference Friday afternoon, AFP Commissioner Reece Kershaw declared hackers in Russia were responsible for the Medibank cyber attack.
“This is a crime that has the potential to impact on millions of Australians and damage a significant Australian business,” he said.
“This cyber attack is an unacceptable attack on Australia and it deserves a response that matches the malicious and far-reaching consequences that this crime is causing.”
Kershaw said the AFP is undertaking covert measures and working around the clock with domestic and international partners, including Interpol, to bring those responsible to justice.
“This is important because we believe those responsible for the breach are in Russia,” Kershaw said.
“Our intelligence points to a group of loosely affiliated cyber criminals who are likely responsible for past significant breaches in countries across the world. These cyber criminals are operating like a business.”
Kershaw said the AFP has reason to believe that some affiliates of the business may be operating in other countries, not just Russia.
“We believe we know which individuals are responsible, but I will not be naming them,” he added.
“What I will say is that we will be holding talks with Russian law enforcement about these individuals.”
Kershaw said the AFP was also “scouring the internet and dark web” to find people seeking to profit from this attack.
So how did we get here?
Last month, Medibank went public with news that it suffered a cyber incident. Turns out it was a lot worse than Medibank first thought and, with the data on 9.7 million customers caught up in the massive breach.
The private health insurer told shareholders on October 12 it had fallen victim to a ‘cyber incident’. It said that in response to this incident, the organisation took immediate steps to contain it, and engaged specialised cybersecurity firms.
At the time, Medibank said there was no evidence that any sensitive data, including customer data, had been accessed in the cyber attack.
On October 17, it reaffirmed that after ongoing investigations, there was still no evidence customer data had been removed from its IT environment. It also emerged that Medibank was the victim of a ransomware extortion attempt, with the word ‘ransom’ hidden within the organisation’s messaging. But on October 19, things had taken an Optus-like turn.
In a statement issued via the ASX on October 19, Medibank said it has received messages from a group that “wishes to negotiate with the company regarding their alleged removal of customer data”. This negotiation was the hackers threatening to release the private medical information of high-profile Australians if a ransom wasn’t paid.
On October 20, Medibank said the Australian Federal Police was investigating the incident as a crime as data on its customers was confirmed breached. Then, on October 26, Medibank confirmed every one of its customers had their data breached.
However, on November 7, Medibank divulged just how bad things actually were.
“Given the nature of this crime, we now believe that all of the customer data accessed could have been taken by the criminal,” it said.
In a statement issued to the ASX, Medibank said it believed the criminal has accessed the name, date of birth, address, phone number and email address of around 9.7 million current and former customers and some of their authorised representatives. This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers.
The criminal/s also accessed Medicare numbers (but not expiry dates) for ahm customers, passport numbers (but not expiry dates) and visa details for international student customers and accessed health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers.
Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed, and around 2,900 next of kin of these patients have had some contact details accessed.
Health provider details, including names, provider numbers and addresses, are among the data accessed in the breach, Medibank said.
Despite this, Medibank said the criminal did not access primary identity documents, such as driver’s licences, for Medibank and ahm resident customers. Credit card and banking details are also apparently safe.
It was on November 7 that Medibank said it wasn’t paying, despite the ramifications.
“No ransom payment will be made to the criminal responsible for this data theft,” the statement reads.
“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” Medibank CEO David Koczkar added.
Then, on November 9, it was confirmed data had been leaked.
The hackers, who claimed to have spent a month rummaging around Medibank’s systems, have posted what they’ve called “naughty” and “nice” lists of health records, with the “naughty” list including people who’ve sought treatment for things like addiction and eating disorders. And they claim they’ve only started releasing the stolen information.
The hackers have also published emails they sent and received with Medibank while negotiating over the ransom. The emails, if they’re authentic, show the hackers refusing to name themselves except to say they’re with an “affiliate group.” Security researchers have dubbed the group BlogXX, which is a partial name of the onion address where the stolen data has been published. Oddly enough, the domain used to be run by the Russian-based REvil ransomware gang, though it’s not clear if some of the hackers are the same.
In one of the email exchanges published by the hackers, a representative from Medibank asks how they know the hackers will actually delete the data if they pay the ransom.
“We are doing business, even if it is not legal, and we are worried about our reputation. This is the key to payments,” the response from the hackers reads.
“We are interested in getting money, not destroying your company,” the hackers continue.
Whatever their intention, these hackers behind the cyber attack have now put out Medibank information that could be used to destroy the lives of regular people who may be struggling with any range of mental health and addiction issues.
In the days since Medibank refused to pay a ransom, the health claims of hundreds of Medibank customers have been posted on the dark web, including claims related to the termination of pregnancy, harmful use of alcohol and treatment for drug use.
The Office of the Australian Information Commissioner (OAIC) is making preliminary inquiries with Medibank to ensure compliance with the requirements of the Notifiable Data Breaches (NDB) scheme, and the Australian Federal Police has also expanded Operation Guardian to protect Medibank customers whose personal information has been unlawfully released online. Operation Guardian, a joint initiative with state and territory police, was set up in September in the wake of the Optus data breach.
Medibank said it has “a comprehensive support package” for customers who have had their data stolen. This includes financial support for customers who are in a uniquely vulnerable position as a result of this crime (they will be supported on an individual basis), free identity monitoring services for customers who have had their primary ID compromised and reimbursement of fees for re-issue of identity documents that have been fully compromised in this crime.
Medibank is also offering all customers access to identity protection advice and resources from IDCARE and Medibank’s mental health and wellbeing support line. You can reach out if you’re concerned about the cyber attack or need to do Medibank-related things, by calling 13 23 31 or visiting Medibank’s dedicated webpage.
If you or someone you care about needs support, please call LifeLine Australia on 13 11 14. If life is in danger, call 000. Please do NOT call 000 if you are concerned about the Medibank data breach. Reach out to Medibank for help on 13 23 31.
This article has been updated since it was first published.
Comments