Industry News

So far, 2022 has been a gloomy year for Australia’s data privacy and IT security climate, with three industry giants from the retail (Woolworths), telecom (Optus), and insurance (Medibank) sectors reeling from massive cyber attacks whose aggregate fallout just might impact the majority of Australians.

On October 12, the country’s largest health insurer Medibank detected suspicious activity in its customer data systems, prompting an immediate security response, internal investigation, and notification of relevant authorities. The insurer initially announced that there was “no evidence that any sensitive data, including customer data, has been accessed.”

But it turned out days later that a criminal entity did indeed access and steal around 200GB of customer data – including sensitive health information – that they have put to ransom.

Who is Medibank?

Medibank Private Limited is the largest and top performing private health insurance provider in Australia, based on the government’s 2021 State of the Health Funds Report. Medibank serves nearly 4 million customers (roughly 15% of the total population) and controlled 27.3% of the market as of 2021.  

Formed in 1976 as a government-run non-profit insurer, Medibank was privatised in 2014 and currently operates as a publicly listed company on the Australian Securities Exchange (ASX). It acquired Wollongong-based insurer Australian Health Management (ahm) in 2009, operating the subsidiary since then as its low-cost (budget) brand. Medibank offers a wide range of services, including health insurance coverage for international students, which is mandated for Australian visa class 500. Medibank provides this insurance category via its OSHC (Overseas Student Health Cover) plans. Notably, the data breach was initially detected, halted, and isolated over these two component businesses, which together account for around 1 million customers, according to The Sydney Morning Herald. Upon further investigation, however, customer data for Medibank’s main brand was also found to be compromised.   

As an insurer, Medibank operates within the regulatory standards of the Australian Prudential Regulation Authority (APRA). 

Who is behind the Medibank cyber attack?

In a November-11 statement, the Australian Federal Police said they have identified the individuals behind the data breach, that those culprits are in Russia, and that they belong to a group of cyber criminals who are likely responsible for other major cyber attacks around the world. The AFP noted that some criminal affiliates might be located in other countries, prompting the federal police to undertake covert measures and work with international law enforcement agencies. 

The AFP’s investigation aligned well with the near-unanimous conjecture among cyber security experts that the attackers are linked to the Russia-backed ransomware gang REvil which is also known as Sodinokibi. Believed to have been dismantled by Russian law enforcers in early 2022, the criminal gang appear to have resurfaced via a new site and hacking operation on the dark web called “BlogXX.” The new site is the redirect destination from REvil’s original Tor website that was allegedly shut down by the FSB, Russia’s principal security agency. Meanwhile, security researchers confirmed that the source code of the data encryptor used by the new operation was based on the one deployed by REvil. 

Several weeks prior on October 19, the threat actor contacted Medibank to reveal that it stole at least 200GB of customer data, providing 100 samples of policy-holder records as evidence of its claim. Aside from personally identifiable information (PII), the stolen data includes highly sensitive information about customer’s diagnoses, medical procedures, and where customers acquired medical services. The criminal element threatened to sell such stolen data unless the insurer paid an undisclosed ransom amount, warning that it will first target 1,000 Medibank customers it deemed “prominent” or with “very interesting diagnoses.”

Notably, the threat actor specified just who it thought were the “prominent” customers in Medibank’s client portfolio: “[those with the] most [social media] followers, politicians, actors, bloggers, LGBT activists [and] drug addicted people” as well as people with “very interesting diagnoses”.

Making things even worse, the cyber attack hit Medibank’s system for international students, some of whom might have undergone medical procedures or services that are banned, heavily penalised, or even carry death sentences in their home countries. 

Home Affairs Minister Clare O’Neil castigated the “criminal” behind the Medibank cyber attack, describing the deed as horrendous, unacceptable, and a dog act:

“And that is a criminal who is suggesting that they are going to divulge the personal information of Australians to the public and that is simply unacceptable to us.”

“Financial crime is a terrible thing but ultimately a credit card can be replaced, but the threat being made here to make the private and personal health information of Australians made available to the public is a dog act."

 “That is why the toughest and smartest people in the Australian Government are working directly with Medibank to try to ensure that this horrendous criminal act does not turn into irreparable harm to some Australian citizens.”

Days after the data breach was discovered, internal investigations at Medibank homed in on how the attack started. Security experts now believe that the hack was pulled off using the stolen access credentials of a Medibank staff with high-level privileges within the organisation’s network. Reportedly, these stolen credentials were sold on a Russian-speaking forum and purchased by another threat actor acting alone or a group of malicious operators, who then used the hacked credentials to gain high-level access to Medibank’s systems, create backdoors, conduct network-wide reconnaissance, and steal customer data.  

On November 8, the criminal gang contacted Medibank and threatened to release more customer data within 24 hours unless the insurer pays a then undisclosed ransom amount. A day later, the cyber crime group followed through with its threat, leaking hundreds of customer contact and health data (labelled separately under a “good” and “naughty” list) on the dark web. Meanwhile, Medibank reiterated its commitment to ignore the ransom demand.

On November 10, a person going by the moniker John K Ram claimed – in a dark web post – to be one of the attackers and revealed the ransom amount: US$1 per Medibank customer, or around US$9.7 million (~ AU$15 million). 

Successive batches of stolen customer data – allegedly including health claims information related to abortions, chronic conditions, mental health treatments, and sexually transmitted diseases – were leaked. 

During an interview with Today, Treasurer Jim Chalmers described the criminal hackers as “absolute grubs.”

When did the cyber attack on Medibank happen?

On October 12, Medibank detected unusual activity in its systems for international students and for its low-cost insurance plans offered through its budget subsidiary, ahm. The insurer immediately stopped and contained the activity, engaging cyber security firms and launching an internal investigation in the process. The following day, Medibank duly reported the incident to authorities, deactivated the affected systems, and began reaching out to potentially affected customers.   

Here’s a timeline highlighting key events surrounding the cyber attack:

Which data was compromised?

Based on Medibank’s investigation, select data of virtually all of its current and former customers, staff, and service providers have been compromised. That means around 9.7 million individuals and entities are affected since Medibank counts around 5.1 million current and former customers while its budget subsidiary (ahm) and foreign students business (OSHC) have 2.8 million and 1.8 million customers, respectively.

For customers covered under a Medibank-branded health insurance policy, the following data have been accessed and likely stolen by the cyber criminal group:

• first name and surname
• policy number
• date of birth
• address
• email address
• contact phone number
• [for some customers] gender, employer name and employee ID, and/or some health claims data, and/or velocity membership number

In addition to policy number, standard contact information, and some health claims data, other information have been compromised for ahm and OSHC customers. These include gender information and Medicare for ahm policy holders; as well as passport number, country of origin, and gender for holders of OSHC policies.  

Meanwhile, customers covered under Medibank’s health insurance policies for overseas visitors were also affected, with visa details compromised for some policy holders. For Medibank travel insurance customers, their contact information and policy start dates were compromised.

The criminal group behind the Medibank cyber attack initially claimed they hold credit card information but the insurer believes that this is not the case.

On November 7, the health insurance provider announced that it will not pay any ransom while disclosing that its investigations found that health claims data for around 160,000 Medibank customers, 300,000 ahm customers, and 20,000 international customers were accessed by the cybercriminals.

In retaliation to Medibank’s refusal to pay the ransom, the attackers leaked several batches of customer contact and health data on the dark net, so far totalling to around 2700 policy records.

How did the cyber attackers steal customer data?

Following days of internal investigations, IT security experts now believe that the data breach was accomplished via a hacked user account belonging to a Medibank staff who had high-level access credentials.  

How the said user account has been hacked is yet to be determined, but the stolen login credentials have been traced to a Russian-language cybercrime forum that also serves as a platform for “initial access brokers” (IAB), whose primary role is to sell stolen user credentials to ransomware gangs and other threat actors. From the said forum, the Medibank account with high-level privileges was purchased by a technically sophisticated criminal operator or a hacker group who then used it to pass through the insurer’s perimeter defences, conduct system-wide reconnaissance, and access some of Medibank’s most valuable assets: the personal and health records of its customers.

Prior to a full-scale intrusion, the criminal entity was able to establish two backdoors, one for redundancy in case the other got detected by the insurer’s security tools. Once the backdoors were ready, the attacker then prowled Medibank’s IT environment for an undetermined period of time, gathering enough intel to orchestrate one of the most damaging data breaches in Australian history. Some experts believe that the attacker was able to conduct a thorough surveillance not only of Medibank’s customer data but also of its internal systems and applications, and possibly how these diverse elements share information.

Citing an insider close to the internal investigation, The Guardian reported that the attacker even created and deployed a special tool designed to exfiltrate information from Medibank’s customer database, pack it into a zip file, and then sneak it out of the insurer’s network. At some point, Medibank’s cybersecurity mechanisms detected unusual activity, discovered the two backdoors, and closed the loop. 

But the damage was done.

As reported by The Australian Financial Review, leaked conversation (over email and WhatsApp) between Medibank and the criminal group suggests that the REvil-linked attackers –

1. freely prowled across the insurer’s data network for several weeks before being detected;
2. co-opted a virtual private network (VPN) to orchestrate the breach;
3. used Structured Query Language (SQL) to extract data from a database;
4. created backup copies of entire databases through a process called “dumping,” which requires the highest level of user privilege and grants “root access” to the database;
5. failed to encrypt Medibank’s data after “prematurely” being detected and shut down by Medibank’s cybersecurity mechanism;
6. succeeded in stealing virtually all of the insurer’s customer data; and,
7. aborted their planned ransomware attack (via an encryption-decryption process) and resorted to mere extortion by threatening to leak the sensitive customer data they have stolen.  

What should Medibank customers do?

Given how things are going, virtually all Medibank customers face a high likelihood that their identity and possibly their health data have been compromised. As such, both the federal government and Medibank advise customers to practice vigilance, proactively protect their data, and immediately report any suspicious activity or messages on their devices.  

To mitigate impact on customers, Medibank provides a support package that includes:

• free access to mental health advice and wellbeing resources
• 24/7 access to trained cybercrime counsellors
• free identity monitoring services
• hardship support for customers uniquely vulnerable as a result of the data breach
• reimbursement of ID replacement fees (including passports)  
• specialist identity protection advice and resources from IDCARE
• personal duress alarms for customers whose safety is at risk

You should also visit the Department of Home Affairs’ web page on the incident to know exactly which agency to seek help from regarding your specific situation.

Here are some additional resources for affected Medibank customers:

1. Customer Notice
2. Timeline Of Events
3. Support Package for Customers
4. Advice from the Office of the Australian Information Commissioner

If you have received any suspicious text messages or emails, immediately report to the Australian Cyber Security Centre. You can either call their hotline [1300 292 371] or submit an online report. To help Medibank and law enforcement authorities in their current investigations, you can also report to scaminvestigations@medibank.com.au.

What’s next after the Medibank cyber attack?

The data breach at Medibank is not an isolated case. In a sad and frustrating turn of events, even its scale now appears to be commonplace, with the fallout from similar cyber attacks at Optus, Woolworths, Vinomofo, and other major players being experienced at the same time by many Australians.

The same culprits – who have already paralysed and extorted Australian companies like JBS Foods – are being called out. And the usual remedies – multifactor authentication, stronger passwords, and smarter cyber security systems – are being prescribed.  

But this time, the stakes are getting even higher. Ransomware groups grow nastier and more sophisticated. Government moves are afoot to establish higher penalties for data breaches, from just $2.2 million to a potentially crippling $50 million for a major incident like the attack on Medibank. Making matters even worse, malicious hackers now view Australian businesses as soft targets given the miserable optics with both breaches at the country’s largest private health insurer and its second largest mobile network operator.

Faced with higher fines from regulatory agencies and with greater hazard from criminal groups, organisations simply cannot stay put. As Robert Anderson, former FBI head of cyber security investigations puts it, businesses need to think "one step ahead of the bad guys."