Latest Cybersecurity News 2022-11-21 Edition

Fallout continues from Medibank hack

Today’s CyberNews will concentrate exclusively on the data breach recently suffered by Australian private health insurer Medibank.

Another difficult week

It has been another difficult week for Medibank as the fallout spreads from the October cyber incident:

• After a week of silence, hackers released a fifth set of customer health data on the dark web on November 20 after Medibank held firm on its refusal to pay ransom demands that have ranged between $10-15M (all figures AUD). The data released comprised four files containing 1,496 customer records. Medibank’s analysis of the data indicated that some records had already been released in previous disclosures, and 25% of the records did not match their policy system information, creating additional confusion. According to their statement, the verified data “include people with chronic conditions such as heart disease, diabetes and asthma, people with cancer, people with dementia, people with mental health conditions, people with infections and people who have sustained injuries, amongst other conditions.” The data disclosure continues a pattern of “drip-feeding” customer data on the dark web over the last five weeks.
• At Medibank’s annual general meeting on November 16, board chair Mike Wilkins AO announced that Medibank was about to “begin communicating with around 480,000 customers whose health data we believe has been stolen,” describing the “cybercrime event [as] unprecedented.” Medibank has contacting affected customers in waves over recent weeks as the scope of the incident has become clearer.
• On November 15, it was revealed by Medibank that that the hackers also stole employee data, including mobile and work device contact numbers, which potentially opens up new vulnerabilities for its computer systems and identity fraud.
• This week, two Australian law firms, Bannister Law Class Actions and Centennial Lawyers, announced that they are being “inundated by Medibank customers” in response to a class action started earlier in November.

Customer and staff data compromised

The original attack occurred on October 12, when Medibank took its systems offline in response to “unusual activity”. Medibank, one of Australia’s leaders in providing private health insurance and services, initially advised on their website that there was “no evidence that customer data has been accessed.”

While Medibank suspected a potential ransomware threat by October 17, their systems were never encrypted and they still maintained hope that no data had been compromised, even reporting that all systems were back to normal by October 18. However, on October 19, they received the first contact from the hackers, alleging that data had been stolen from Medibank systems. By November 7, Medibank reported that the hackers had “accessed the name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives,” adding that the “figure represents around 5.1 million Medibank customers, around 2.8 million ahm [Medibank’s low-cost insurance brand] customers and around 1.8 million international customers.” Medibank had approximately 3.97 million current subscribers on June 30, 2022.

More announcements followed, as the company revealed that the hackers had accessed Medicare numbers, passport information, health claims data for various segments of their customers, and detailed health data for hundreds of thousands of customers (including service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered, health provider details, including names, provider numbers and addresses, etc.). Ultimately, it was estimated that some 200 Gb of data was involved in the incident.

November 7 also marked the first time that Medibank data began to appear on the dark web, as the hackers attempted to exert additional pressure on the insurer to meet their ransom demands.

A sophisticated, state-sponsored attack

Medibank has still not confirmed the root cause of the incident, but a recent interview with Melbourne-based reporter Josh Taylor from The Guardian Australia revealed details of the investigation so far.  It is believed that admin-level credentials were either faked or stolen from an unidentified Medibank staff member. Those credentials were then sold on the dark web to another party, who leveraged the assistance of a ransomware-as-a-service operation to breach Medibank’s defenses.  The hackers set up two backdoors into Medibank’s systems, and conducted surveillance – possibly for months – before starting to exfiltrate data using custom-written software specially to exploit Medibank’s environment. The exfiltration of data in October finally triggered the “unusual activity” that alerted Medibank staff to the incident.

The ransomware-as-a-service operation is thought to bear the trademarks of the Russia-backed REvil ransomware gang, or a new operation called BlogXX, believed to be related to REvil. The REvil criminal enterprise has been largely quiet since being forced offline by law enforcement in 2021.

More details are sure to emerge as Medibank, cyber investigators, and Australian law enforcement continue their investigation. Medibank is understandably eager to confirm the root cause, and determine what measures could/should have been done to prevent the incident. Meanwhile, Medibank continues to post regular updates on its online newsroom.

Costs and impacts to Medibank

Beyond the potential harm to customers, reputational damage to the brand, and significant operational cost and disruption, numerous additional impacts are being felt by Medibank:

• Medibank’s share prices dropped nearly 20% in the days after the incident was disclosed, and have not yet recovered.
• Medibank has extended call centre hours and increased their customer support team by more than 300 people to manage consumer enquiries, and established a costly Cyber Response Support Program.
• In the days leading up to the AGM, while proxy investment advisers CGI Glass Lewis encouraged investors to support all resolutions at the meeting and re-elect the board in order to maintain stability, they suggested that changes could be ahead. “It may be the case that in due course, the board and executive team will require renewal to a) bolster its skills and knowledge of cyber security and b) show accountability for the loss of privacy to its customers and the loss of value to Medibank shareholders,” according to CGI’s pre-AGM statement to investors. CGI also raised the possibility of executive pay “clawbacks” to account for any obvious vulnerabilities that had been overlooked.
• A proposal published by the Australian Government for a new Privacy Legislation Amendment Bill 2022 aims to increase privacy breach penalties:
  • from $2.22 million to $50 million; or
  • three times the value of any benefit obtained through the misuse of information, if greater; or
  • 30% of a company’s adjusted turnover in the relevant period, if greater.

To put this in perspective, in the last financial year, Medibank reported revenues of $7.12B, meaning it could have faced fines as high as $712 million for the incident if it had happened under the proposed bill.