Criminals behind Medibank cyber attack exposes thousands of customers’ health data

Posted: November 25, 2022

So far, 2022 has been a gloomy year for Australia’s data privacy and IT security climate, with three industry giants from the retail (Woolworths), telecom (Optus), and insurance (Medibank) sectors reeling from massive cyber attacks whose aggregate fallout just might impact the majority of Australians.

On October 12, the country’s largest health insurer Medibank detected suspicious activity in its customer data systems, prompting an immediate security response, internal investigation, and notification of relevant authorities. The insurer initially announced that there was “no evidence that any sensitive data, including customer data, has been accessed.”

But it turned out days later that a criminal entity did indeed access and steal around 200GB of customer data – including sensitive health information – that they have put to ransom.

Key Takeaways

Medibank detected unusual activity in its IT network and took immediate steps to contain the incident.
A cyber criminal contacted Medibank, claiming to have stolen 200 GB of customer data. The criminal demanded ransom money for its return and threatened to leak personal data and health records; and to contact 1,000 prominent and influential customers who have “very interesting diagnoses.”
As proof of breach, the criminal presented 100 policy-holder records that included customer names, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers, and claims data that contains information on medical services, diagnoses, and procedures undergone by some customers.
Medibank validated the authenticity of the sample customer data and believes said data came from their ahm (Australian Health Management) and international student (OSHC) systems.
Adopting the official government stance, Medibank refused to pay the US$10 million ransom demanded by the cyber criminals.
Failing at their extortion attempt, the criminal hackers leaked several batches of health claims data, including those they allege involve abortions, sexually-transmitted diseases, and mental health treatments.
Cyber security experts noted the criminal’s potential link to the notorious REVil ransomware
The Australian Federal Police (AFP) stated that it has identified the individuals behind the attack and said they are based in Russia.
The Medibank cyber attack remains under investigation, with the insurer coordinating with government agencies and law enforcement authorities to assess the extent of the breach, mitigate impact to customers, and apprehend the perpetrators.

Get Quick Answers

Who is Medibank?
Who is behind the Medibank cyber attack?
When did the cyber attack on Medibank happen?
Which data was compromised?
How did the cyber attackers steal customer data?
What should Medibank customers do?
What’s next after the Medibank cyber attack?

Who is Medibank?

Medibank Private Limited is the largest and top performing private health insurance provider in Australia, based on the government’s 2021 State of the Health Funds Report. Medibank serves nearly 4 million customers (roughly 15% of the total population) and controlled 27.3% of the market as of 2021.

Formed in 1976 as a government-run non-profit insurer, Medibank was privatised in 2014 and currently operates as a publicly listed company on the Australian Securities Exchange (ASX). It acquired Wollongong-based insurer Australian Health Management (ahm) in 2009, operating the subsidiary since then as its low-cost (budget) brand. Medibank offers a wide range of services, including health insurance coverage for international students, which is mandated for Australian visa class 500. Medibank provides this insurance category via its OSHC (Overseas Student Health Cover) plans. Notably, the data breach was initially detected, halted, and isolated over these two component businesses, which together account for around 1 million customers, according to The Sydney Morning Herald. Upon further investigation, however, customer data for Medibank’s main brand was also found to be compromised.

As an insurer, Medibank operates within the regulatory standards of the Australian Prudential Regulation Authority (APRA).

Who is behind the Medibank cyber attack?

In a November-11 statement, the Australian Federal Police said they have identified the individuals behind the data breach, that those culprits are in Russia, and that they belong to a group of cyber criminals who are likely responsible for other major cyber attacks around the world. The AFP noted that some criminal affiliates might be located in other countries, prompting the federal police to undertake covert measures and work with international law enforcement agencies.

The AFP’s investigation aligned well with the near-unanimous conjecture among cyber security experts that the attackers are linked to the Russia-backed ransomware gang REvil which is also known as Sodinokibi. Believed to have been dismantled by Russian law enforcers in early 2022, the criminal gang appear to have resurfaced via a new site and hacking operation on the dark web called “BlogXX.” The new site is the redirect destination from REvil’s original Tor website that was allegedly shut down by the FSB, Russia’s principal security agency. Meanwhile, security researchers confirmed that the source code of the data encryptor used by the new operation was based on the one deployed by REvil.

Several weeks prior on October 19, the threat actor contacted Medibank to reveal that it stole at least 200GB of customer data, providing 100 samples of policy-holder records as evidence of its claim. Aside from personally identifiable information (PII), the stolen data includes highly sensitive information about customer’s diagnoses, medical procedures, and where customers acquired medical services. The criminal element threatened to sell such stolen data unless the insurer paid an undisclosed ransom amount, warning that it will first target 1,000 Medibank customers it deemed “prominent” or with “very interesting diagnoses.”

Notably, the threat actor specified just who it thought were the “prominent” customers in Medibank’s client portfolio: “[those with the] most [social media] followers, politicians, actors, bloggers, LGBT activists [and] drug addicted people” as well as people with “very interesting diagnoses”.

Making things even worse, the cyber attack hit Medibank’s system for international students, some of whom might have undergone medical procedures or services that are banned, heavily penalised, or even carry death sentences in their home countries.

Home Affairs Minister Clare O’Neil castigated the “criminal” behind the Medibank cyber attack, describing the deed as horrendous, unacceptable, and a dog act:

“And that is a criminal who is suggesting that they are going to divulge the personal information of Australians to the public and that is simply unacceptable to us.”

“Financial crime is a terrible thing but ultimately a credit card can be replaced, but the threat being made here to make the private and personal health information of Australians made available to the public is a dog act.”

“That is why the toughest and smartest people in the Australian Government are working directly with Medibank to try to ensure that this horrendous criminal act does not turn into irreparable harm to some Australian citizens.”

Days after the data breach was discovered, internal investigations at Medibank homed in on how the attack started. Security experts now believe that the hack was pulled off using the stolen access credentials of a Medibank staff with high-level privileges within the organisation’s network. Reportedly, these stolen credentials were sold on a Russian-speaking forum and purchased by another threat actor acting alone or a group of malicious operators, who then used the hacked credentials to gain high-level access to Medibank’s systems, create backdoors, conduct network-wide reconnaissance, and steal customer data.

On November 8, the criminal gang contacted Medibank and threatened to release more customer data within 24 hours unless the insurer pays a then undisclosed ransom amount. A day later, the cyber crime group followed through with its threat, leaking hundreds of customer contact and health data (labelled separately under a “good” and “naughty” list) on the dark web. Meanwhile, Medibank reiterated its commitment to ignore the ransom demand.

On November 10, a person going by the moniker John K Ram claimed – in a dark web post – to be one of the attackers and revealed the ransom amount: US$1 per Medibank customer, or around US$9.7 million (~ AU$15 million).

Successive batches of stolen customer data – allegedly including health claims information related to abortions, chronic conditions, mental health treatments, and sexually transmitted diseases – were leaked.

During an interview with Today, Treasurer Jim Chalmers described the criminal hackers as “absolute grubs.”

When did the cyber attack on Medibank happen?

On October 12, Medibank detected unusual activity in its systems for international students and for its low-cost insurance plans offered through its budget subsidiary, ahm. The insurer immediately stopped and contained the activity, engaging cyber security firms and launching an internal investigation in the process. The following day, Medibank duly reported the incident to authorities, deactivated the affected systems, and began reaching out to potentially affected customers.

Here’s a timeline highlighting key events surrounding the cyber attack:

Medibank Cyber Attack Timeline

October 12

Medibank detects and contains unusual activity on its network, finds no evidence that customer data has been accessed.

October 13

Medibank publicly announces security incident, coordinates with government agencies including Australian Cyber Security Centre (ACSC), APRA, Office of Australian Information Commissioner (OAIC), Private Health Insurance Ombudsman, Department of Health, and Department of Home Affairs.
Medibank takes ahm health insurance and international student policy systems offline.
Insurer still finds no evidence of unauthorised access to customer data.
Medibank begins contacting customers.
Insurer suspends trading on ASX.

October 14

Number of Medibank emails warning customers of breach clocks in at 2.8 million
Insurer restores access to ahm and international student systems.

October 17

CEO David Koczkar issues public apology, suggests possible ransomware threat, advises customers to remain vigilant, and says Medibank still finds no evidence of data being removed from network.
Insurer resumes ASX trading.

October 18

Medibank gets ahm and international student systems offline, then back online hours later.

October 19

Threat actor contacts Medibank, begins ransom negotiations.
Medibank suspends stock exchange trading until further notice.
Home Affairs and Cyber Security Minister Clare O’Neil gives official statement on incident.

October 20

AFP investigates incident as crime.
Threat actor claims it has 200 GB of customer data, provides samples of stolen policy-holder records.
Sample data includes customer names, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers, and claims data such as medical services, diagnoses, and procedures undertaken by some customers.
Threat actor also claims possession of credit card security data.
Medibank submits mandated report to ASX

October 21

Medibank extends contact centre operating hours over weekend.

October 22

Authorities activated national coordination mechanism (NCM), enjoins all government agencies to support Medibank and vulnerable Australians.

October 24

APRA releases official statement on Medibank cyber attack, reiterates key information security guidelines for regulated entities.

October 25

Medibank discloses far wider breach than initially thought; believes customer data for main product line to be compromised as well.
Insurer reveals cyber criminal sent additional files to include 1,000 ahm policy records as well as other sets of customer data from Medibank, ahm, and OSHC.
Medibank announces comprehensive support package for customers including financial support for vulnerable individuals, free access to mental health and wellbeing services, and reimbursement for reissuance of identity documents, among others.
OAIC releases advice on Medibank cyber attack.
ASIC releases guidance for consumers impacted by the Medibank Private and AHM cyber incident.

October 26

Insurer resumes trading on ASX, incurs 18% drop in share value, loses ~ $1.8 billion by EOD.
Medibank issues ASX regulatory filing, admits all customers’ personal and health claims data are compromised, reveals it doesn’t have cyber insurance.

October 27

Medibank breach extends to Adelaide-based healthcare provider My Home Hospital.

October 28

Department of Education issues advice and factsheet to foreign students following data breach.

October 31

AFP warns Medibank not to pay ransom.

November 7

Medibank issues ASX filing, says it won’t pay ransom, announces additional support packages for affected customers.

November 8

Cybercriminal gang threatens to release stolen Medibank data within 24 hours.
Law firms Bannister Law and Centennial Lawyers announce joint class action investigation.

November 9

Ransomware gang keeps word, posts “good” and “naughty” lists of Medibank customer data on dark web, also reveals pre-leak communications with insurer.
Medibank authenticates leaked customer data.
AFP expands Operation Guardian to protect vulnerable Medibank customers.
House of Representatives passes ammendments to privacy penalty bill seeking larger fines for serious data breaches.

November 10

“Scumbags and crooks” leak next batch of stolen customer data, including those of policy holders who had abortions.
Criminal gang reveals they asked for US$10 million ransom, discountable to just US$1 for each of Medibank’s 9.7 million customers.
Bloomberg estimates compensation fallout from breach could cost Medibank as high as $960 million.
Virgin Australia locks out frequent flyers to protect customers exposed in the Medibank breach.

November 11

AFP Commissioner Reece Kershaw releases statement, notes Russian origin of hack, says individual culprits have been identified, Russian counterparts at Interpol (International Criminal Police Investigation) advised.
Russia criticises AFP statement, calls for cooperation.
Cybersecurity experts note cyber criminals’ possible link to Russia-based REvil ransomware gang.
AFP launches Operation Pallidus, Australia’s inter-agency effort to apprehend cyber criminals.

November 13

Government considers ban on ransom payments to criminal hackers.
Home Affairs Minister announces formation of standing 100-officer strong cybercrime task force led by AFP and Australian Signals Directorate (ASD).
Prominent law firm Maurice Blackburn announces class action investigation.
Data thieves post new blog entitled “psychos,” leak next batch of Medibank customer data related to mental health treatments.

November 14

Home Affairs Minister says Medibank failed customers.

November 15

Medibank discovers data breach also exposes hundreds of current and former staff.

November 16

Medibank commissions Deloitte to conduct external review.

November 18

Criminal hackers post video of pro-Putin Medibank customer affected by data breach.

November 20, 21

Cyber criminals leak next batch of stolen data containing hundreds of personal and health records including information allegedly on patients treated for viral hepatitis and sexually transmitted diseases.

November 21, 22

Attackers’ data leak site inexplicably goes offline.
Unknown entity posts message on dark web hacker forum, disparages ‘amateurish’ conduct of Medibank hackers, raises possibility of global ban on ransom payments.
Observers think Australian agents in ‘psyops’ mode.

November 28

APRA intensifies supervision of Medibank, expects insurer to undertake recommended remediation actions, including impacts to executive compensation.
Ammendments to privacy penalty bill mandating higher fines pass both Houses of Parliament.

November 29

OAIC welcomes passing of Privacy Bill, notes closer alignment with Europe’s General Data Protection Regulation (GDPR) and stronger mandate over offshore-domiciled entities doing business in Australia.

December 1

Criminal gang leaks millions of stolen customer information on dark web, declares data theft and extortion attempt as “case closed.”
Class action law firm Maurice Blackburn lodges formal complaint against Medibank with OAIC.
OAIC launches own investigation into data breach.

December 8

Medibank to turn off systems over weekend to upgrade IT security, Microsoft to assist.
Home Affairs Minister reveals plans for new cyber security strategy, aims to make Australia “world’s most cyber-secure country by 2030.”

December 12

Medibank turns systems back online with security enhancements, says no suspicious activities were detected since Oct 12 data breach announcement.
Privacy Legislation Amendment (Enforcement and Other Measures) receives Governor-General’s assent, now in force as law (Act No. 83 of 2022).

December 14

Medibank gets notice from class action law firm Maurice Blackburn, insurer pledges coorperation with OAIC on hack probe.
Q4 statistics turn Australia into world’s worst location in data breach density.

2023

January 15

Bannister Law Class Actions and Centennial Lawyers join Maurice Blackburn’s landmark class suit filed with OAIC against Medibank.

January 16

Data breach extends to people who just requested policy quotes from ahm per ABC report.

January 23

Australia leads International Counter Ransomware Task Force composed of 37 like-minded governments to fight ransomware.

Which data was compromised?

Based on Medibank’s investigation, select data of virtually all of its current and former customers, staff, and service providers have been compromised. That means around 9.7 million individuals and entities are affected since Medibank counts around 5.1 million current and former customers while its budget subsidiary (ahm) and foreign students business (OSHC) have 2.8 million and 1.8 million customers, respectively.

For customers covered under a Medibank-branded health insurance policy, the following data have been accessed and likely stolen by the cyber criminal group:

first name and surname
policy number
date of birth
address
email address
contact phone number
[for some customers] gender, employer name and employee ID, and/or some health claims data, and/or velocity membership number

In addition to policy number, standard contact information, and some health claims data, other information have been compromised for ahm and OSHC customers. These include gender information and Medicare for ahm policy holders; as well as passport number, country of origin, and gender for holders of OSHC policies.

Meanwhile, customers covered under Medibank’s health insurance policies for overseas visitors were also affected, with visa details compromised for some policy holders. For Medibank travel insurance customers, their contact information and policy start dates were compromised.

The criminal group behind the Medibank cyber attack initially claimed they hold credit card information but the insurer believes that this is not the case.

On November 7, the health insurance provider announced that it will not pay any ransom while disclosing that its investigations found that health claims data for around 160,000 Medibank customers, 300,000 ahm customers, and 20,000 international customers were accessed by the cybercriminals.

In retaliation to Medibank’s refusal to pay the ransom, the attackers leaked several batches of customer contact and health data on the dark net, so far totalling to around 2700 policy records.

How did the cyber attackers steal customer data?

Following days of internal investigations, IT security experts now believe that the data breach was accomplished via a hacked user account belonging to a Medibank staff who had high-level access credentials.

How the said user account has been hacked is yet to be determined, but the stolen login credentials have been traced to a Russian-language cybercrime forum that also serves as a platform for “initial access brokers” (IAB), whose primary role is to sell stolen user credentials to ransomware gangs and other threat actors. From the said forum, the Medibank account with high-level privileges was purchased by a technically sophisticated criminal operator or a hacker group who then used it to pass through the insurer’s perimeter defences, conduct system-wide reconnaissance, and access some of Medibank’s most valuable assets: the personal and health records of its customers.

Prior to a full-scale intrusion, the criminal entity was able to establish two backdoors, one for redundancy in case the other got detected by the insurer’s security tools. Once the backdoors were ready, the attacker then prowled Medibank’s IT environment for an undetermined period of time, gathering enough intel to orchestrate one of the most damaging data breaches in Australian history. Some experts believe that the attacker was able to conduct a thorough surveillance not only of Medibank’s customer data but also of its internal systems and applications, and possibly how these diverse elements share information.

Citing an insider close to the internal investigation, The Guardian reported that the attacker even created and deployed a special tool designed to exfiltrate information from Medibank’s customer database, pack it into a zip file, and then sneak it out of the insurer’s network. At some point, Medibank’s cybersecurity mechanisms detected unusual activity, discovered the two backdoors, and closed the loop.

But the damage was done.

As reported by The Australian Financial Review, leaked conversation (over email and WhatsApp) between Medibank and the criminal group suggests that the REvil-linked attackers –

freely prowled across the insurer’s data network for several weeks before being detected;
co-opted a virtual private network (VPN) to orchestrate the breach;
used Structured Query Language (SQL) to extract data from a database;
created backup copies of entire databases through a process called “dumping,” which requires the highest level of user privilege and grants “root access” to the database;
failed to encrypt Medibank’s data after “prematurely” being detected and shut down by Medibank’s cybersecurity mechanism;
succeeded in stealing virtually all of the insurer’s customer data; and,
aborted their planned ransomware attack (via an encryption-decryption process) and resorted to mere extortion by threatening to leak the sensitive customer data they have stolen.

What should Medibank customers do?

Given how things are going, virtually all Medibank customers face a high likelihood that their identity and possibly their health data have been compromised. As such, both the federal government and Medibank advise customers to practice vigilance, proactively protect their data, and immediately report any suspicious activity or messages on their devices.

To mitigate impact on customers, Medibank provides a support package that includes:

free access to mental health advice and wellbeing resources
24/7 access to trained cybercrime counsellors
free identity monitoring services
hardship support for customers uniquely vulnerable as a result of the data breach
reimbursement of ID replacement fees (including passports)  
specialist identity protection advice and resources from IDCARE
personal duress alarms for customers whose safety is at risk

You should also visit the Department of Home Affairs’ web page on the incident to know exactly which agency to seek help from regarding your specific situation.

Here are some additional resources for affected Medibank customers:

If you have received any suspicious text messages or emails, immediately report to the Australian Cyber Security Centre. You can either call their hotline [1300 292 371] or submit an online report. To help Medibank and law enforcement authorities in their current investigations, you can also report to scaminvestigations@medibank.com.au.

What’s next after the Medibank cyber attack?

The data breach at Medibank is not an isolated case. In a sad and frustrating turn of events, even its scale now appears to be commonplace, with the fallout from similar cyber attacks at Optus, Woolworths, Vinomofo, and other major players being experienced at the same time by many Australians.

The same culprits – who have already paralysed and extorted Australian companies like JBS Foods – are being called out. And the usual remedies – multifactor authentication, stronger passwords, and smarter cyber security systems – are being prescribed.

But this time, the stakes are getting even higher. Ransomware groups grow nastier and more sophisticated. Government moves are afoot to establish higher penalties for data breaches, from just $2.2 million to a potentially crippling $50 million for a major incident like the attack on Medibank. Making matters even worse, malicious hackers now view Australian businesses as soft targets given the miserable optics with both breaches at the country’s largest private health insurer and its second largest mobile network operator.

Faced with higher fines from regulatory agencies and with greater hazard from criminal groups, organisations simply cannot stay put. As Robert Anderson, former FBI head of cyber security investigations puts it, businesses need to think “one step ahead of the bad guys.”