Medibank and their subsidiary company Australian Health Management (AHM), recently fell victim to a Cyber Security breach, resulting in the copying of millions of medical records. Medibank are a leading private health insurer in Australia, who specialise in health insurance cover for the persons of Australia and insuring international students for travel. Being a healthcare insurer, Medibank holds millions of medical records of a wide variety and is legally obliged to securely retain such information for up-to 7 years.
On 13th October ’22, Medibank reportedly detected unusual activity within their network, and at this time released the statement, “no evidence that customer data has been accessed”. On 17th October ’22, Medibank were contacted by the threat actor who aimed to validate the attack, proving they had obtained data from the Health Insurer, and negotiate a ransom for the 200GB of data allegedly stolen. The ransom was originally $10 million (USD), but this was reduced in what the threat actor called a “discount” to $9.7 million (USD), equating to $1 per user within the stolen data.
The threat actor opened a direct channel of communications over ProtonMail initially, before starting a WhatsApp conversation with Medibank’s CEO, David Koczkar. The threat actor displayed 1000 medical records during the WhatsApp conversation, featuring details such as First-names, Surnames, Dates-of-Birth, Medical ID numbers, home addresses, passport numbers, and driving license information.
By 20th of October ’22, the threat actor’s claims were proven to be legitimate, as the displayed data was cross-referenced against Medibank’s internal records. The Australian Federal Police openly accused the hack to have originated from Russia, as the site in which the compromised credentials were sold, was a Russian-language cybercrime forum. Forums like these are known within the community as a “hacker for hire” sites, or a “hacking marketplace”, where credentials can be sold and exchanged, and hackers/groups of users and bots can be hired for use against a target. A threat actor or hacking group picked up the compromised credentials, and infiltrated Medibank’s network.
Once the network was breached, the threat actor created 2 backdoors, one as contingency in case the first was discovered and closed. Due to the nature of the attack, it can be said that the threat actor must have had a high level of reconnaissance within the network, for some time. The attack was meticulous and direct, keeping detection levels to a minimum. This was allegedly completed by directly targeting sub-directories within Medibank’s data stores, and exfiltrating specific directories to an external source. It is clear from the attack being highly targeted, that the threat actor had visibility of not only the network, but the internal hierarchy of Medibank’s data storage, and was able to create this bespoke method of exfiltration. It was not until the data had been exfiltrated, that Medibank noticed the unusual activity within their network.
The Threat Actor made the threat of dumping the data publicly if the ransom was not met by the 7th of November. Following advice from the Australian Cyber Security Centre (ACSC), Medibank did not pay the ransom for the cybercrime. Since the 7th, there have been three different data dumps from the data breach. The 1st featured a Naughty & Good list of patients. The Naughty list contained high profile patrons of Medibank, who had made medical claims pertaining to mental health issues, or varying drug claims and HIV positive patients. The 2nd file dump included a folder called “Abortion”, which listed any procedures which resulted in the termination of a pregnancy, regardless of the necessity of the procedure. The most recent dump on Friday 11th November contained over 240 records, all relating to the Harmful use of Alcohol.
Medibank are “gearing people up” to expect more data leaks in the coming days ahead. After the first leak, Australia’s Home Affairs Minister Clare O’Neil, issued a message to the public stating that no one should be reporting or posting online on social media and other outlets, calling for people to not breach other people’s privacy. Clare O’Neil has since said in a statement to the press: “… I want the scumbags behind this attack to know, that the smartest and toughest people in this country, are coming after you”.
At Texaport, we understand the importance of these advancements, and we work with our clients to put a reliable system in place to improve their business efficiency. Our team has a wide range of IT knowledge and remains acquainted with the movements in the IT industry. Find out more here.