The hacker who claims to be behind what has been labelled a “significant cyber security incident” at Medibank has sent the private health insurer details of 100 customers, and claims to have hundreds of gigabytes of customers’ personal data.
Medibank said it held a “range of necessary personal information of customers” as a company providing health insurance and services. Source: AAP / Bianca De Marchi
Australia’s largest private health insurer has suffered a “significant cyber security incident”, just weeks after an attack on telecommunications giant Optus saw the personal data of millions compromised.
Medibank — a multibillion-dollar business with more than 3.9 million customers — revealed last week that it had detected “unusual activity” on its network. It said it had swung into action to contain the incident, and engaged “specialist cyber security firms”. There was “no evidence” customer data had been stolen.
But the situation now appears to be taking a more serious turn, with
an investigation launched
after alleged hackers who claim to have stolen Medibank customer data contacted the private health insurer wanting to negotiate.
The publicly-listed company has also entered a trading halt on the ASX, which will continue “until further notice”.
READ MORE
Concerned by the Optus data breach? Here’s how to protect against online scams and hacks
What data do the hackers have?
In a statement released on Thursday, Medibank said it had been contacted by someone claiming to have 200 gigabytes of customers’ personal data.
In a bid to seemingly bolster their claim, the person provided Medibank with a data sample. That included 100 policies that the private health insurer believes comes from ahm (a Medibank subsidiary) and international student systems.
The data included first and last names, dates of birth, addresses, policy, phone, and Medicare numbers, as well as some claims data, according to Medibank.
“This claims data includes the location of where a customer received medical services, and codes relating to their diagnosis and procedure,” Medibank said in a statement.
“The criminal claims to have stolen other information, including data related to credit card security, which has not yet been verified by our investigations.”
Associate Professor of Cyber Security at the University of Melbourne, Dr Toby Murray, said the seemingly genuine sample release was concerning.
“That does tell us these hackers do seem to have real data. We don’t know how many individuals [overall] that’s affecting, but we might assume it is a large number based on that 200-gigabyte figure,” Dr Murray said.
“Until we learn more it’s too difficult to say at this stage … it certainly is a significant amount of data.”
Medibank CEO David Koczkar offered an apology acknowledging the news would concern customers. Source: AAP / Bianca De Marchi
On Wednesday, Medibank said it had been contacted by the hacker who wanted to negotiate over the data they claim to have stolen.
Nine Newspapers reported that the hacker
has threatened to sell the information
unless the health insurer pays a ransom.
Medibank nor authorities have yet revealed what the alleged hackers are demanding in order to halt the release of customer data they claim to have.
How has Medibank responded?
Medibank said it would contact customers who it knows have been caught up in the cyber attack, and it expects more will be affected as the incident develops.
“Medibank urges our customers to remain vigilant, and encourages them to seek independent advice from trusted sources, including the
Australian Cyber Security Centre
,” it said in a statement on Thursday.
“As always, Medibank will never contact customers requesting passwords or other sensitive information.”
Medibank CEO David Koczkar apologised “unreservedly” for the incident and said he knew customers would be “disappointed” with the health fund.
“Medibank will remain open and transparent and will continue to provide comprehensive updates as often as we can and need to,” Mr Koczkar said in a statement.
Cyber Security Minister Clare O’Neil said the situation was concerning and that agencies were working to stop the data from being released on the internet. Source: AAP / Mick Tsikas
Earlier, Medibank said it was “working urgently” to verify the authenticity of the hackers’ claims.
The health insurer said protection of customer data remained a priority.
“Medibank systems have not been encrypted by ransomware, which means usual activities for customers continues,” it said in a statement on Wednesday.
It said it held a “range of necessary personal information of customers” as a company providing health insurance and services.
How has the federal government responded?
An investigation into the cyber attack has been launched, with federal government agencies examining the incident and working alongside Medibank.
Cyber Security Minister Clare O’Neil said the situation was concerning and that agencies were working to stop the data from being released on the internet.
Ms O’Neil, who had labelled the attack a “significant cyber security incident”, said the alleged hackers were trying to negotiate with Medibank while holding the information hostage.
“Financial crime is a terrible thing, but ultimately a credit card can be replaced … The threat being made here, to make the private, personal health information of Australians available to the public, is a dog act,” she told reporters on Thursday.
“The toughest and smartest people in the Australian government are working directly with Medibank to try to ensure this horrendous criminal act does not turn into what could be irreparable harm.”
Earlier, she said it was too early to tell how many customers had been affected by the Medibank hack after speaking with Mr Koczkar.
Medibank is now working alongside federal police and the Australian Signals Directorate to manage the breach.
Ms O’Neil said the attack — which follows
the widespread data breach at Optus
— was a wake-up call for business.
“This is the new world that we live in, we are going to be under relentless cyber attack essentially from here on in,” Ms O’Neil told ABC Radio on Thursday.
“We need to do a lot better as a country to make sure that we are doing everything we can within organisations to protect customer data and also for citizens to be doing everything they can.”
How does this differ from the Optus cyber attack?
Dr Murray said the data was not as “financially useful” as identity information like what was stolen in the Optus data breach, which included driver’s licence and passport numbers.
“You can’t use it necessarily to open a bank account in someone’s name,” Dr Murray told SBS News. “But, you can certainly use it to try to extort people to get them to pay up to prevent you from making that [data] public.”
He said the main risk facing affected Optus customers was identity theft.
Those who might be affected by the Medibank cyber attack, the risk “mainly seems to be around individual privacy at this stage.”
“Although they have said there’s also potentially credit card information that may have been exposed… which does present a financial risk.”
With additional reporting by AAP.
