The health insurer first reported “unusual activity” on its network on October 13 – and it was initially believed that no customer data had been removed from its systems.
An alleged hacker group then contacted Medibank to negotiate a set of allegedly stolen customer data, which the insurance company said was limited to a subset of international students, and to its budget insurance sub-brand, ahm.
Now it turns out that further files received “from the criminal” contain data from Medibank, ahm and international student customers.
“Given the complexity of what we received, it is too early to determine the full extent of the stolen customer data,” Medibank reports.
“As we continue to investigate the extent of this cybercrime, we expect the number of affected customers to grow as it unfolds,” it added.
So far, Medibank has determined that the set of files consists of:
● A copy of the file received last week containing 100 Ahm policy files – including personal and health claims records
● A file with an additional 1,000 ahm policy files – including personal and health claims
● Files containing some Medibank and additional ahm and international student customer data
David Koczkar, CEO of Medibank, said he “apologies unconditionally to our customers who have been victims of this serious crime.”
“As we continue to discover the magnitude and gravity of this crime, we recognize that these developments will be troubling for our customers, our people and the community – as well as for me,” he added.
What does the future hold for Medibank
Next to the landmark optus data breach, the Medibank attack was already becoming one of the most significant cyber events of the year.
Now that key brand data is believed to have been compromised, the insurance company has work ahead of it.
This cybercrime is currently the subject of criminal investigation by the Australian Federal Police (AFP), for which Medibank provides ongoing assistance.
In addition to continuing to investigate and communicate the developments of this incident, Medibank is also taking a number of customer-focused measures, including a new “comprehensive customer support package”
Medibank said it will provide “24/7 mental health and wellness support”, support for “customers who are in a uniquely vulnerable position” and access to specialist advice on identity protection from IDCARE, Australia’s national identity and cyber support service. and New Zealand.
The IDCARE announcement is particularly noteworthy, as it has been a central resource after the optus breach that exposed at least 2.1 million personal identification numbers.
What should customers do?
For the nearly 4 million customers of Medibank, the health insurer warns to remain vigilant for “suspicious communication that comes in via e-mail, text or phone call”.
The company said it will never contact customers requesting passwords or sensitive information, and encourages customers to use its cyber response hotlines by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31 ).
Finally, Medibank said clients can also speak to its experienced and qualified mental health professionals for mental health advice or support.
“This is a malicious attack perpetrated by criminals with the intent of causing maximum fear and harm, especially to the most vulnerable members of our community.”
Cyber Security Minister Clare O’Neil has publicly criticized the alleged criminals behind Medibank’s data breach, labeling the potential disclosure of personal health information a “dog act” against Australians.
After the recent series of data breaches in Australia, including Optus, Telstra and Medibank, O’Neil warned that cyber attacks of this nature would only increase.
“This is the new world we live in,” she said.
“We will face relentless cyberattacks, essentially from now on,” she added.
In an effort to combat the onslaught of cybercrime in recent weeks, the Albanian government has launched a new law impact on data breach fines, as well as anticipated privacy law reforms.
Senator James Paterson, who is now the shadow secretary for cybersecurity, commented on Medibank’s development, stating, “Despite the company’s initial denials, customers’ worst fears have now come true.”
He also criticized O’Neil’s response to the Medibank breach, saying: “Following a slow and confused response to the Optus cyber attack, it is worrying that it took Cyber Security Secretary Clare O’Neil a week to go public. respond to the Medibank hack.”
“Mrs O’Neil should explain why she accepted that the company’s initial denial was serious and delayed government involvement by a week,” he added.
“Time is of the essence in a cyber attack. Early government involvement makes it possible
establish facts, potentially disrupt data theft, and give customers time to
take the necessary steps to mitigate the impact of the breach,” said Paterson.
“Every day that is lost, the damage done worsens.”
Medibank continues to work with the AFP in investigating the incident and has said it will contact current and former customers with recommended steps following the breach.
As for those seeking updates on Medibank’s trading information, the company stated, “To be clear, the voluntary suspension will continue until an earlier announcement by Medibank and the start of normal trading on Wednesday, October 26, 2022.”