IOTW: Medibank confirms 200GB of customer data stolen

Medibank has confirmed that hackers have stolen customers’ personal data after gaining unauthorized access to its internal systems.

In a statement released on October 20, Medibank explained that the hackers that had previously contacted them attempting to ransom customer data had released a sample of 100 customers’ details to them.

Medibank said that it believed the data came from its “ahm and international student systems” and that it contained customers full names, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data. The claims data includes codes relating to their medical diagnoses and procedures as well as where these procedures took place.

The malicious actor also claimed that it had stolen data related to customers’ payment details, however Medibank has not yet been able to verify these claims.

The healthcare provider said that the breach is now under investigation by the Australian Federal Police. Additionally, Medibank said its teams are working “around the clock” to understand what customer data has been stolen and the impact this will have on customers.

When did the hack take place?

The cyber security incident in which the data was stolen occurred on October 13. Medibank noticed some “unusual activity” on its internal systems, including its ahm and international student systems. These systems were temporarily shut down in response to the cyber-attack but resumed functionality on October 14.

Despite originally stating that there had been “no evidence customer data had been accessed,” Medibank was contacted by a malicious party who aimed to “negotiate with the company regarding their alleged removal of customer data.” As a result of this, Medibank called a trading halt in order to meet its continuous disclosure obligations.

Who was targeted in the attack?

In a ransom note sent to Medibank, the hackers claimed they had 200GB worth of confidential data and would sell it if their demands were not met.  

The group also threatened to contact the 1,000 “most [prominent] media persons” at Medibank which, according to them, included “[those with the] most [social media] followers, politicians, actors, bloggers, LGBT activists [and] drug addicted people” as well as people with “very interesting diagnoses” as a warning.

What impact has the attack had?

Medibank has contacted the customers affected by the data breach and has said they expect this number to grow as the cyber security incident continues.

The company encouraged customers to “stay vigilant” and reiterated that Medibank will never contact them requesting personal or sensitive information. In response to the event, the company has opened cyber security-specific helplines.

Medibank customers have claimed on social media that they have been targeted by phishing schemes just seven days after the initial attack. In a tweet, one customer said they had received a letter claiming to be Medibank that said they “owed money for repayments.”

Watch out peeps. We just received a letter from Medibank looking every bit like a Medibank letter telling us we owed money for repayments they had given us that we had to “pay back”. Husband called Medibank and it’s a scam.

— Sassy Carrie (@sassycarrie) October 20, 2022

The public response to the data breach

Home Affairs Minister Clare O’Neil criticized the hackers in a statement on October 20, saying that the threat to make Australian peoples’ private medical information public was a “dog act.”

She continued, saying that this threat was “why the toughest and smartest people in the Australian Government are working directly with Medibank to try to ensure that this horrendous criminal act does not turn into irreparable harm to some Australian citizens.”

Please advise how to start legal prosecution against your company. It was not a chorus’s Australia was a target. It is a surprise you failed all your customers. Please advise best contacts to start legal proceedings against your failure to protect customers sensitive data!

— Mr.MojoRisn (@Totally4yeah) October 20, 2022

Medibank customers have taken to social media to respond to the data breach, with many unhappy. One person said that Medibank had “failed all [its] customers” by not adequately protecting their personal data. Others questioned the ability of all corporations to protect the publics’ data, noting the numerous data breaches that have befallen Australian companies in the past three weeks.

First Optus is hacked .. now Medibank Private. Neither the corporate sector with its encryption/privacy specialists nor law enforcement (AFP) seem capable of protecting the public. If online banking is criminally compromised the digital economy is in serious trouble. pic.twitter.com/oFA0l4MOJv

— Quentin Dempster (@QuentinDempster) October 19, 2022

While a class action lawsuit has not yet been filed, many of those posting on social media said they wanted to take some form of action against the company. 

Medibank CEO David Koczkar said that he “unreservedly apologize[d] for this crime which has been perpetrated against our customers, our people, and the broader community”.