The continuing release of Medibank data, distressing for those affected, is not extraordinary behaviour by hackers. It is all too common.

November 20, 2022 |

The news that Medibank data continues to be released onto the dark web is hardly unexpected.  Hackers do it if they are frustrated that a ransom has not been paid, sometimes if they are acting on behalf of state players and the object is not money but humiliation and sometimes for the hell of it, even if the ransom has been paid.

TheREvil group is clearly intending on causing maximum pain given the data, of nearly 1,500 individuals,  relate to a range of conditions including:

  • heart disease,
  • diabetes
  • asthma,
  • cancer,
  • dementia,
  • mental health conditions,
  • infections
  • delirium.

For a change Medibank has got in front of the story with an announcement.   Medibank’s media statements are still quite rudimentary compared to resp;onses in the United States where there is much more experience in responding to big data breaches.  It is difficult to improve the media landscape after such a disastrous initial response and given the nature of the data being leaked.  The hackers will continue to leak data and the reputational damage to Medibank will continue to grow.

To restate the obvious, this data breach highlights the need for organisations to have a comprehensive privacy and cyber security strategy, including a plan to deal with a data breach if it occurs.  Medibank has shown what happens when that doesn’t happen.

The Medibank statement provides:

We are aware that some stolen Medibank data has been released on the dark web today.

Medibank CEO David Koczkar said we are doing everything we can to make sure our customers are supported.

“We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program. This includes mental health and wellbeing support, identity protection and financial hardship measures,” Mr Koczkar said.

“If customers are concerned, they should reach out for support from our cybercrime hotline, our mental health support line, Beyond Blue, Lifeline or their GP.

“Anyone who downloads this data from the dark web, which is more complicated than searching for information in a public internet forum and attempts to profit from it is committing a crime.

“The Australian Federal Police have said law enforcement will take swift action against anyone attempting to benefit, exploit or commit criminal offenses using stolen Medibank customer data. We continue to work closely with the Australian Federal Police who are focused, as part of Operation Guardian, on preventing the criminal misuse of this data.

“Again, I unreservedly apologise to our customers.

“We remain committed to fully and transparently communicating with customers and we will continue to contact customers whose data has been released on the dark web,” he said.

Our customers can also contact us to understand what data has been accessed – we’ve extended call centre hours and we’ve increased our customer support team by more than 300 people.

Data released on the dark web today

    • 4 files containing 1,496 records
    • 123 records are from the previous files released
    • 375 of the 1,496 records do not match against that policy for that procedure. Previous files released have not matched our records.

These lists include people with chronic conditions such as heart disease, diabetes and asthma, people with cancer, people with dementia, people with mental health conditions, people with infections and people who have sustained injuries, amongst other conditions.

Some of the people on the list have had diagnoses that include mental illnesses, or delirium, which is an acute change in mental status that can be triggered by illness, injury, surgery, or medications.

Delirium is a temporary condition that’s not uncommon in hospital, particularly for elderly people, as they become disoriented to their surroundings.

We encourage all Australians to seek medical care for any physical or mental health conditions that impact them, free from any shame or stigma.

These are real people behind this data and the misuse of their data may discourage them from seeking medical care.

Given the sensitive nature of the stolen customer data that is being released on the dark web we continue to ask the media and others to support our ongoing efforts to minimise harm to customers, and not to unnecessarily download sensitive personal data from the dark web and to refrain from contacting customers directly.

Supporting our customers

Our dedicated Cyber Response Support Program for our customers includes:

A cybercrime health & wellbeing line (1800 644 325) – counsellors that have experience supporting vulnerable people (such as those at risk of domestic violence) and have been trained to support victims of crime and issues related to sensitive health information
Mental health outreach service – proactive support service for customers identified as being vulnerable, or through referral from our contact centre team
Better Minds App – new tailored preventative health advice and resources specific to cybercrime and its impact on mental health and wellbeing, including tools for managing anxiety and fear, with additional phone based psychological support available
Personal duress alarms – for customers particularly vulnerable and/or with safety risks
Hardship support for customers who are in a uniquely vulnerable position as a result of this crime which can be accessed via our contact centre team (13 23 31 for Medibank and international customers, 13 42 46 for ahm customers and 1800 081 245 for My Home Hospital patients)
Specialist identity protection advice and resources through IDCARE’s purpose-built Medibank page
Free identity monitoring services for customers whose identity has been compromised as a result of this crime
Reimbursement of ID replacement fees for customers who need to replace any identity documents that have been compromised as a result of this crime
Specialised teams to help our customers who receive scam communications or threats

To further assist our customers, we’ve extended call centre hours and created dedicated specialist teams to support customers.

Reach out for support
We understand this crime will be distressing for many of our customers.

Customers should reach out for support if they need it from:

• Medibank’s Mental Health Support line on 1800 644 325 (Medibank international students call 1800 887 283 and ahm international students call 1800 006 745)
• Beyond Blue (1300 224 636 / beyondblue.org.au)
• Lifeline (13 11 14 / lifeline.org.au)
• Their GP or other relevant health professional

Remaining vigilant

Medibank recommends being vigilant with all online communications and transactions including:

• Being alert for any phishing scams via phone, post or email
• Verifying any communications received to ensure they are legitimate • Not opening texts from unknown or suspicious numbers
• Changing passwords regularly with ‘strong’ passwords, not re-using passwords and activating multi-factor authentications on any online accounts where available
• Medibank will never contact customers asking for password or sensitive information

If you are contacted by someone who claims to have your data, or you are a victim of cybercrime, you can report it at ReportCyber on the Australian Cyber Security Centre website. To report a scam, go to ScamWatch. If you believe you are at physical risk, please call emergency services (000) immediately.

The media coverage following the statement was predictable and extensive, such as from the Age, the Guardian and 7News.  Given the nature of the data involved it is not surprising that the stories have moved beyond reporting what happened to more in depth stories about how it is impacting individuals such as with today’s ABC video story Vulnerable customers say they fear for their safety after Medibank hack.

Itgovernance has a good summary of the history of the Medibank data breach and its claims with Medibank Defends its Security Practices as its Ransomware Woes Worsen which provides:

Medibank faced angry questioning during its annual general meeting yesterday as shareholders sought explanations for the organisation’s response to last month’s cyber attack.

The Australian health insurance giant fell victim to ransomware in October, as a result of which the personal data of 9.7 million current and former customers was compromised.

In most cases, basic personal information – such as their name, date of birth, email address, phone number and gender – was exposed. But for 480,000 victims, health claims made with Medibank were stolen and published online.

Medibank’s chairman, Mike Wilkins, told the meeting in Melbourne that the cyber attack was “unprecedented”, describing it as a “shocking crime”, the size and scale of which had not been seen before.

Although the latter part of his statement might not be true – the unfortunate reality is that data breaches like this are now common – the broader argument is fair. It’s all too easy to criticise the victim of a cyber attack without acknowledging the indiscriminate nature with which cyber criminals operate.

Australia’s Home Affairs Minister Clare O’Neil rushed to Medibank’s defence, praising the organisation for refusing to pay the criminal’s ransom, while calling the group responsible “scumbags” and “disgraceful human beings”.

Medibank CEO David Koczkar told shareholders that the organisation is in the process of contacting customers whose information was compromised. He added that those whose health information had been posted online had been contacted within 48 hours of the information’s publication.

“We believe that is the right decision. Those customers are uniquely vulnerable. And we want to make sure that they hear that as soon as they can from us. As I said before, this is a complicated process,” he said.

But not everybody has been satisfied with Medibank’s response. The organisation’s share price plummeted by almost 19% following the data breach, and despite its claims that it has done the right thing, new details continue to emerge that cast doubt on Medibank’s cyber security practices.

The extent of the damage

From the moment that the data breach came to light, Medibank had an uphill battle to restore its reputation. The attack, which occurred after a cyber criminal exposed the login credentials of a high-level employee, led to two separate leaks on a dark web site operated by the ransomware group REvil.

The first was damaging enough, containing patients’ names, addresses and birthdates. This sort of information is particularly prized by cyber criminals because it is much easier to use fraudulently compared to, say, financial data.

Banks tend to have far more robust processes in place to identify suspicious activity, which means the stolen information will have a much shorter shelf life. Health data, by contrast, enables attackers to operate under the radar, typically to commit health insurance fraud.

In some cases, the information is used – either by the attacker or someone who purchases it – to illegally obtain prescription drugs or medical equipment.

Things got worse for Medibank after a second database was leaked, containing a file named “abortions”. It was followed by another one that contained the personal data of 240 policyholders who made claims related to drug addiction.

From bad to worse

A fourth file was then leaked, labelled “psychos”, which contained hundreds of claims from policyholders who have undergone mental health treatment.

These files present an added risk because there is the individual’s reputational damage to consider on top of the potential for fraud. Victims will be at best embarrassed and at worst stigmatised if their medical condition was made public, and it could result in the victim being targeted by scams.

As the Australian Federal Police warned, the release of this information can be “distressing and embarrassing”, and could expose those affected to blackmail.

“Please do not be embarrassed to contact police […] if a person contacts you online, by phone or by SMS threatening to release your data unless payment is made,” Assistant Commissioner Justine Gough said.

To compound matters, some victims claim that Medibank’s assurances that it has contacted those affected – and its repeated statements on the importance of doing so – are inaccurate.

Speaking to the Guardian, one victim said: “It’s been about a week now and Medibank have still not informed me that my data is in that dump.”

After contacting Medibank to enquire about the situation, the victim – who asked to remain anonymous – was told the organisation would be communicating with those who had health claims data posted first.

“They had ample time to prepare the comms and get them out to anyone that had been exposed, and taking over a week to do so is really poor form – and I don’t buy in to the excuses they have given,” he said.

“I think that’s probably a bad call given all of their earlier posturing about being transparent.”

Robust practices

Despite the growing criticisms of Medibank’s response, the organisation’s board have stood by their response. Mike Wilkins described Medibank’s security processes as “robust”, although he acknowledged that whether this proved to be true was subject to an external investigation currently being carried out by Deloitte.

The result of that investigation is likely many months away, but in the meantime, Medibank can point to two key pieces of evidence. First, it employed multi-factor authentication to protect employee accounts.

With multi-factor authentication, individuals enter a password as normal, but must also provide a second piece of information that confirms that they have legitimate access to the system.

This is typically either ‘something you have’ (such as a code sent to your phone) or ‘something you are’ (such as a fingerprint scan).

By doing this, you mitigate the risk of password compromise. An attacker might have your login details, but they still need additional information to access your account.

The technique isn’t foolproof, as this incident demonstrates. More sophisticated attacks trick victims into handing over their authentication keys in addition to their login credentials, and it appears that this is what happened to the employee in question.

However, it at least demonstrates that Medibank acknowledged the threat of cyber crime and had implemented defences to mitigate the risk.

Neither the organisation’s processes nor the rollout of technology can be blamed. At worst, you can argue that it didn’t do enough to educate employees on the threat of fraud – but human error can never be entirely eradicated, and without any knowledge about the organisation’s staff awareness practices, it’s unfair to place blame.

The most exculpatory evidence is Medibank’s refusal to pay the ransom. For an organisation already under fire for the disruption caused by a malware attack, and knowing the explosive damage that would be caused if its files were leaked, it would be easy to quietly pay the attackers off in the hope of avoiding a major scandal.

However, cyber security experts urge organisations not to pay up. Even if their systems are restored, there is no guarantee that the information wouldn’t end up online anyway. Plus, paying up makes the victim a target for future extortion attempts.

With the damage caused by this breach, you can understand why so many people are willing to criticise Medibank. And, indeed, many mistakes were made. However, it’s important to praise the organisation for facing the consequences of its actions head-on.

Ransomware has become one of the most pervasive threats organisations face, thanks to the ease with which attacks can be carried out and the potential for large financial rewards.

It only takes one organisation to go against expert advice and pay the ransom for the criminals to hit the jackpot. The average ransomware payment is about £30,500, which organisations could easily justify, but every time that happens, it supports the crooks’ efforts and could be used to fund future attacks.

Leave a Reply





Verified by MonsterInsights