In a significant breach of cybersecurity, Australian health insurer Medibank has announced that the personal data of approximately 9.7 million current and former customers has been compromised due to a ransomware attack. The incident, detected on October 12, raised alarms within the company when signs consistent with a ransomware event prompted preliminary defensive measures. Unfortunately, the attackers managed to exfiltrate sensitive data before the systems could be fully isolated.
Among the affected customers, approximately 5.1 million Medibank policyholders, 2.8 million ahm customers, and 1.8 million international clients had their information accessed. The breach has exposed a range of personal details, including names, addresses, dates of birth, and contact information, as well as Medicare numbers for ahm customers and some passport numbers for international students.
The implications extend to health claims data affecting around 160,000 Medibank customers, 300,000 ahm customers, and 20,000 international clients. The stolen claims data includes crucial details such as service provider names, service locations, and associated medical codes. Notably, financial information and identity documents like driver’s licenses have not been compromised, and the company has reported no unusual activity since identifying the breach.
Medibank has openly acknowledged the severity of the situation, stating that it is likely all accessed customer data has been taken by the attackers. The company has urged its customers to remain vigilant against potential misuse of their information. In a separate statement to investors, Medibank declared that it would not be paying any ransom to the hackers, as capitulating to such demands could encourage further attacks on its customer base and amplify the risk to other Australian organizations.
An update released by Medibank indicated that the hackers have subsequently published customer data on the dark web, reaffirming the company’s decision to reject ransom demands. This data includes sensitive information similar to that previously reported, leading the company to express concerns about the vulnerability of their customer data.
While the specific group behind the attack has not been conclusively identified, there are indications linking the data leak to the ransomware group REvil, known for its prior operations in the domain of cyber extortion. Pertinent to this incident, various tactics from the MITRE ATT&CK framework appear to have been employed, including initial access and data exfiltration strategies typically associated with ransomware operations. These methods underscore the sophisticated nature of modern cyber threats, highlighting the need for robust security measures.
The Medibank incident serves as a stark reminder for businesses worldwide about the critical importance of cybersecurity and the ever-evolving nature of cyber threats. As organizations continue to navigate the complex landscape of data protection, the necessity of proactive monitoring and response mechanisms cannot be overstated.
