Share this article on:
A poster child for the current cyber climate in Australia, Medibank can’t seem to catch a breath.
Having been the subject of one of the largest cyber attacks ever seen in Australian history late last year, the company has once again been breached through its use of the MOVEit cloud storage service.
Cyber Security Connect has compiled a timeline of the events faced by Medibank, starting from the first discovery of suspicious activity on its systems last year.
13 October 2022:
Medibank first detects unusual activity on its network, concluding that there was “no evidence that any sensitive data, including customer data, has been accessed”.
In an effort to keep its systems secure, Medibank said that it isolated and removed access to some customer-facing systems and contacted cyber security firms.
“We have spoken with the Australian Cyber Security Centre, APRA, Office of the Australian Information Commissioner, Private Health Insurance Ombudsman, the Department of Health and the Department of Home Affairs over the course of the day to ensure that our regulators and other key stakeholders are informed,” it said.
14 October 2022:
Medibank begins communicating with customers about the event, sending out 2.8 million emails. Access to the closed-down systems is also restored. Investigations into the incident continue. At this stage, there is still no evidence that customer data was ever accessed.
17 October 2022:
The private health insurer finds that the suspected unusual activity falls in line with a ransomware threat, but it still maintains that there is no evidence that any customer data had “been removed from [its] IT environment”.
“As a further precaution, we’ve put in place additional security measures across our network and we continue to work with external cyber security experts and the Australian government’s lead cyber agency, with our forensic investigation continuing,” said Medibank.
19 October 2022:
Medibank is contacted by a cyber criminal organisation, later discovered to be the Russia-based REvil hacking group, claiming to have stolen customer data from its systems.
“Today we received messages from a group that wishes to negotiate regarding their alleged removal of customer data,” Medibank said.
“Urgent work is underway to establish if the claim is true, although based on our ongoing forensic investigation, we are treating the matter seriously at this time.”
The private health insurer has said that its systems had not been encrypted and, as a result, customers are able to continue their usual activities.
20 October 2022:
Medibank is now working with the Australian Federal Police (AFP), which is treating the incident as a crime. In addition, the private health insurer said that REvil claimed to have stolen 200 gigabytes of data, which includes:
As support for their claims, the hacking group provided Medibank with a sample of stolen records for 100 policies, which were believed to be part of its international student and budget ahm health insurance systems.
Medibank said that REvil also claimed to have stolen data relating to credit card information, but that this was yet to be verified.
Customers were contacted directly to inform them of the situation.
25 October 2022:
REvil contacts Medibank again, once again sending the 100 ahm policy record sample, as well as a file containing an additional 1,000 ahm policy records and files containing Medibank records.
“Given the complexity of what we have received, it is too soon to determine the full extent of the customer data that has been stolen,” said Medibank.
“We will continue to analyse what we have received to understand the total number of customers impacted, and specifically which information has been stolen.”
In addition, Medibank established a “comprehensive support package” for those affected.
The package provided affected customers with:
Premium increases that were due on 1 November were also deferred until 16 January 2023.
26 October 2022
Medibank’s investigation determined that REvil had access to the personal data and a significant amount of health claims data for all Medibank, ahm and international student customers.
There was also evidence to show that some of the data were removed by the cyber criminal syndicate, with Medibank concluding that it was likely that more data had been stolen.
28 October 2022
Medibank’s investigation discovers that data belonging to My Home Hospital (MHH) patients had also been accessed.
“My Home Hospital is a service delivered by a joint venture between Calvary and Medibank on behalf of Wellbeing SA and the South Australian government,” said Medibank.
Medibank said that it is currently unsure if the data was illegally stolen, but it said that the files included personal information, including some health data.
7 November 2022:
Medibank releases a major update on its investigation, revealing that the breach affected 9.7 million current and former customers.
This is made up of:
The data stolen included names, birth dates, phone numbers and email addresses, as well as Medicare numbers for ahm customers, and passport and visa details for international students.
Health claims data was stolen from 160,000 Medibank customers, 300,000 ahm customers and 20,000 international customers.
“Given the nature of this crime, unfortunately, we now believe that all of the customer data accessed could have been taken by the criminal,” said Medibank.
Despite constant pressure from REvil, Medibank also revealed that it would remain steadfast and refuse to pay the ransomware demands.
“Based on the extensive advice we have received from cyber crime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” said Medibank.
“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.
“This decision is consistent with the position of the Australian government.”
8 November 2022:
REvil begins encouraging shareholders to sell their shares, as it threatens to release the stolen data on the dark web.
Medibank said it is aware of the threat and that customers may be contacted directly.
9 November 2022:
REvil releases data on the dark web, with files categorised under the “good list” and “naughty list”.
As part of its investigation, the AFP partners with the Five Eyes Law Enforcement and federal agencies. Operation Guardian, which was originally designed to assist those affected by the major Optus cyber attack that occurred only a month prior, is extended to Medibank customers.
10 November 2022
REvil releases an additional file containing abortion data. It also demands roughly $15.6 million in ransom payments to prevent the further release of data.
11 November 2022
The AFP identifies the hacking group behind the attack (later revealed to be REvil) as being Russia-based and says that it will be contacting Russian law enforcement about the group.
1 December 2022
REvil finally admits defeat and posts the remaining data on the dark web.
“Happy Cyber Security Day!!! Added folder full. Case closed,” said REvil with its final data dump.
The hackers previously concluded that the total data stolen comprised 200GB worth of files, all compressed down to 5GB.
16 January 2023
A class action against Medibank is launched by a trio of law firms, claiming that the data breach was a “betrayal of Medibank Private’s customers and a breach of the Privacy Act”.
Maurice Blackburn teamed up with Bannister Law Class Actions and Centennial Lawyers to launch a cooperated class action against the private insurer.
6 February 2023:
Medibank faces its second class action, with Baker & McKenzie filing a consumer class action against it in the Federal Court.
28 March 2023:
A third class action hits Medibank, with Quinn Emanuel filing a shareholder class action in the Victorian Supreme Court.
4 May 2023:
Slater & Gordon files the fourth class action against Medibank, being another consumer class action in the Federal Court.
20 June 20 2023:
Medibank is caught up in a major cyber attack once again, after it revealed that it was a user of the MOVEit cloud file transfer service owned by Progress Software.
The Clop ransomware group claimed responsibility for the MOVEit hack, which has also claimed British Airways, the BBC, and several US government departments.
Medibank was told that it was at risk after local MOVEit vendor Ipswitch notified them of vulnerabilities, but it said that it was not aware of any customer data being compromised.
“We were advised by the vendor Ipswitch about some vulnerabilities discovered in MOVEit — a software system we use to share information with external parties — and have promptly applied all the vendor’s recommended security patches,” said a Medibank spokesperson.
“We continue to investigate and work closely with the vendor, and at this stage, we are not aware of any of our customers’ data being compromised.”
21 June 2023:
Medibank reveals that staff data had been compromised in the hack as a result of one of its property managers using the MOVEit service.
The compromised file contained names and contact information of several staff members, but Medibank also said that other details such as bank details, payroll and home addresses remained safe.