Cybersecurity woes for major Australian firms continue as health insurance giant Medibank experienced a data breach that saw 200 GB in medical records stolen by a hacker and held for ransom.
The company initially misidentified the attack as involving ransomware, but it appears to have simply been a matter of data exfiltration. The amount of the ransom remains unknown; the hacker has leaked about 100 records that contain an assortment of information that reportedly includes medical conditions and addiction treatment records.
Contact and medical information stolen in Medibank health insurance hack
With some 3.7 million customers and a market share of about 27%, Medibank is the largest health insurance provider in Australia. The company had its trading halted by the Australian Securities Exchange on Wednesday the 19th after the hacker made contact with the company in private, claimed to have 200 GB in stolen data, and provided a sample of about 100 customer policies to verify that the attack was legitimate.
Customer health insurance policies contain an assortment of personal contact information: full names, home addresses, birth dates, and phone numbers, at a minimum. More distressing to Australians is the inclusion of national health care identification numbers, only weeks after major telecommunications provider Optus was breached. The loss of national identification numbers in that attack caused backlogs at government agencies as many people lined up to have their numbers changed.
The worst bit of the Medibank breach is that, in some cases, medical records are among the health insurance policies. As part of the shakedown, the thief named about 1,000 high-profile or at-risk people that they claim to have the medical records of, ranging from politicians and celebrities to LGBTQ activists and people with drug addiction issues.
Cybersecurity Minister Clare O’Neil initially mischaracterized the Medibank breach as a ransomware attack; her office later clarified that the data was stolen without the deployment of any ransomware, which the health insurance giant corroborated. The attack did not disrupt the company’s everyday operations (save for the halt in trading), but it remains unknown how many customers had their contact information or medical records exposed.
Australians dealing with mass exposure of telco and medical records
There has yet to be any official confirmation, but some reporting indicates that the Medibank medical records were stolen from a budget provider called “ahm” (formerly Australian Health Management) that offers lower-cost policies; the data may have been taken from the division that handles health insurance policies for international students. Foreign students are required by law to obtain a private policy when they come to Australia to study. ahm reportedly has information about one million of the company’s health insurance customers in its system.
Medibank has responded to the breach by adding staff to its customer support lines. The company has said that potentially impacted customers should call 13 23 31 if they have a health insurance policy with Medibank or 13 42 46 if they have a policy with ahm. Company CEO David Koczkar also issued a formal apology for the breach.
Since late September, Australian companies have been under something of a sustained cyber siege. It’s unclear if this is a coincidence, or if interest in the country is increasing for some reason; in late September the Australian Cyber Security Centre issued a warning of a campaign by Iranian state-backed hackers targeting critical infrastructure, but there are no connections as of yet between that campaign and the attacks on Optus and Medibank.
Optus and Medibank are two of the biggest companies to be hit in this recent string of crimes, but they are far from the only recognizable corporate names that have been attacked and lost large amounts of personal data. Since the start of October, major telco Telstra was also hit and had information on tens of thousands of current and former employees stolen. Woolworths, a leading grocery chain in the country, also experienced a breach of its MyDeal online shopping site that exposed the contact information of up to 2.2 million customers. And online wine seller Vinomofo was also hit for potentially half a million customer records.
The streak of crimes has prompted action by the Australian government to improve security, putting forward new regulations that would require the country’s banks to act quickly when news of data breaches that expose personal information drop. This is one of the primary fears for the health insurance information that was exposed; if it is dumped to the public, scammers will be quick to try to use it for identity theft and account takeovers. The problem is only exacerbated by the presence of medical records, which could be used both to make scam attempts more convincing or to blackmail victims.
Neena Sharma, Senior Strategist at Clavister, sees a need for companies to go further even if government regulations do not specify security improvements: “The data breach suffered by Medibank is worrying, especially following the Optus cyber-attack which also hit Australia only a few weeks ago. Highly sensitive personal information was accessed by the hackers, which raises concern about adequate cyber protection. Businesses and industries that hold large amounts of sensitive consumer data, such as health insurers, the transportation sector, and the banking sector, must invest better in safeguarding technologies to prevent hackers from accessing personal information. Cloud security measures are imperative in ensuring stronger protection against cybercriminals. The cybersecurity industry is working towards a ‘passwordless’ future because passwords are easily guessed or hacked by cybercriminals. Solutions such as authenticator apps, multi-factor authentication or single-sign on can ensure greater protection against cyber-attacks. Alongside no passwords, businesses must also strive for a zero-trust approach to security where users are continuously verified when trying to access applications or resources. Cloud security solutions can also limit the impact and scope of potential data breaches. Beyond the individual level, organisations and public bodies need to ensure they deploy more robust and, crucially, flexible security measures in future to mitigate against such breaches and protect highly sensitive data.”