Medibank data breach: More customers affected, attacker got in via stolen credentials

Australian private health insurance provider Medibank has revealed that the hack and data breach it discovered over two weeks ago has affected more customers than initially thought.

“We have received a series of additional files from the criminal. We have been able to determine that this includes: a copy of the file received last week containing 100 ahm policy records (including personal and health claims data); a file of a further 1,000 ahm policy records (including personal and health claims data); and files which contain some Medibank and additional ahm and international student customer data,” the company said.

“It has become clear that the criminal has taken data that now includes Medibank customer data, in addition to that of ahm and international student customers.”

More customers affected

According to The Guardian, Medibank is working under the assumption that all its customers have been affected, including past ones (as they have a legal obligation to keep those records for seven years).

The company did not say whether they are considering paying the ransom, but they are putting in place services and offerings to support their customers in case the stolen data is leaked by the attacker.

These include financial support for especially vulnerable customers, a mental health and wellbeing support line for all customers, access to specialist identity protection advice and resources, free identity monitoring services for customers who have had their primary ID compromised, and reimbursement of fees for re-issue of identity documents that have been fully compromised.

It has set up specialized team to help customers that have received scammy emails or threats as a consequence of this hack, and is “also working with all Australian banks and relevant government departments to help them take additional steps to increase monitoring of affected customers accounts.”

Affected customers will be contacted by Medibank directly but the company made sure to point out that they “will never contact customers requesting passwords or other sensitive information.”

Do we know more about how Medibank was hacked?

“This is a malicious attack that has been committed by criminals with a view of causing maximum fear and damage, especially to the most vulnerable members of our community,” said Medibank CEO David Koczkar.

“We continue to work closely with the agencies of the Federal Government, including the ongoing criminal investigation into this matter. We thank them for their ongoing support and assistance.”

While Medibank has yet to officially confim it, it seems that the attacker got into their network by buying stolen access credentials from a Russian-language cybercrime forum.

After gaining access, the attacker performed reconnaissance, deployed two backdoors, and exfiltrated customer data by using a bespoke data exfiltration tool. The name of the ransomware that the attacker meant to use has yet to be revealed.

The one thing that’s clear, though, is that Medibank has been carrying out cybersecurity crisis communication as it should be done.

Source: https://www.helpnetsecurity.com/2022/10/25/medibank-breach-customers-affected/