A week after denying that any customer data was accessed after it suffered a ransomware attack, Australian health insurance provider Medibank on Wednesday confirmed that all of its customer data was illicitly accessed by threat actors.
Australia-based Medibank previously downplayed the incident and said no customer data was accessed. A few days later, the attackers threatened to target some of its most prominent customers and provided a sample of 100 and 1,000 records of Medibank and ahm policyholders to prove they had the company’s data.
Jordan Schroeder, managing CISO at Barrier Networks, told Spiceworks, â€œThis latest update comes only a few days after the company had said no customer data was compromised, so it certainly raises some alarm bells about the handling of the incident and investigation into the bIt turns.â€
It turns out the scale of the attack on the health insurer is much more widespread than initially thought. Evidently, the threat actors accessed 200 gigabytes of Medibank data, including the personal data and significant amounts of health claims data of all its customers, all international student customers and all ahm customers.
The compromised data types include customers’ full names, phone numbers, birth dates, addresses, and policy numbers. Diagnosis and procedure codes that form a part of the health claims data were also compromised. It’s unclear if the hackers stole credit card data.
The ransomware attack led to the compromise of the data of almost four million customers. Julia O’Toole, CEO of MyCena Security Solutions, told Spiceworks, â€œIt seems like things are going from bad to worse for Medibank. The company initially said very few customers had been impacted by the breach, yet they have now revealed all customers were actually impacted.â€
â€œThis is bad news for Medibank customers as attackers have had free-reign access to their data, even though they were initially led to believe it was safe. It’s also terrible for Medibank’s reputation and they are going to struggle to recover from this incident.â€
Medibank also confirmed that the attackers even deleted some of this data, which, as typical ransomware attacks go, was likely exfiltrated before being deleted from the company’s systems.
Medibank, which ironically is not insured from cyber incidents, expects this cyberattack to cost anywhere between AU$25 million and AU$35 million ($16.15 million to $22.6 million). The company is provisioning financial support for customers who are in uniquely vulnerable positions and is reimbursing fees for the re-issue of ID documents that have been compromised.
Medibank said it is also providing free identity monitoring services from IDCARE for customers whose primary ID was compromised and mental health and wellbeing support.
â€œEvery day, businesses that are supposed to protect customer data get breached, and it is real people who must deal with the aftermath. Businesses must do more to protect the data they hold, but the methods they employ are unfit to fulfill those security purposes,â€ O’Toole added.
â€œConsumers pay the price through monetary, identity and data theft, while organizations’ only remediation is to offer a free Experian credit monitoring account or a new bank card, passport or driving license. But this is far from being foolproof or acceptable as there is some data in life that simply can’t be changed. Who can change their date of birth, name, or face? When a company is breached and this type of information lands in the hands of cybercriminals, it stays there, forever.â€
Drew Perry, CEO of Tiberium, advised customers to act quickly and set up safeguards besides passwords for online accounts. â€œAny customers impacted by this incident must change passwords on their online accounts now and check if multi-factor authentication is in place,â€ he told Spiceworks.
â€œIf they use the same password across multiple accounts, they should use a password manager to create new unique passphrases. It is safer to assume their data has been compromised and victims should be extra vigilant during this time for phishing scams and new credit applications.â€
For organizations that store vast amounts of customer information, Schroeder said MFA and Privileged Access Management (PAM) should be leveraged to protect key accounts. Organizations should also have a layered approach to security to prevent lateral movement and regularly train employees on phishing and cybercrime. â€œWhen it comes to defenses, prevention is always better than cure.â€
Medibank is one of the several victims of cyberattacks perpetrated against Australian companies in recent weeks. â€œI apologize unreservedly to our customers. This is a terrible crime â€“ this is a crime designed to cause maximum harm to the most vulnerable members of our community,â€ said Medibank CEO David Koczkar.
Image source: Shutterstock