The Medibank hack began with the theft of the credentials of someone who had high-level access within the organisation, which were then sold on a Russian-language cybercrime forum, according to a source close to the company investigation.
The Australian health insurer told its customers on 13 October it had taken two systems offline as a result of a “cyber incident”. It later reported it had been contacted by hackers over 200GB of customer data allegedly stolen from the Medibank systems.
A sample of 100 records included in the “negotiation” from the hacker included names, addresses, dates of birth, Medicare numbers, phone numbers, and medical claims data including information about diagnosis, procedures and location of medical services.
Medibank has been piecing together over the past two weeks how the attack occurred. The Australian federal police and the Australian Signals Directorate are also investigating.
The attack is believed to have begun when a person with high-level access within Medibank’s systems had their credentials stolen by a hacker, who then put them up for sale on a Russian-language cybercrime forum acting as a credential broker, according to the source who was not authorised to speak publicly.
The credentials were then reportedly bought, and another hacker or group of hackers infiltrated Medibank’s network and established two backdoors, including one for redundancy in case it was discovered.
A view is forming within Medibank that the attacker then conducted a thorough examination of Medibank’s network and internal applications, not just customer data, and deployed a bespoke tool to withdraw customer information from Medibank’s customer database, and put it into a zip file the attackers could then get out of company’s network.
It was at that point that Medibank detected suspicious activity and found and closed the two backdoors, the source said. The Australian Signals Directorate also informed Medibank that it might soon be a victim of a ransomware attack which never eventuated.
“Essentially, high-level credentials were stolen, or identified, and they were then sold and somebody bought it,” the director of the Australian Strategic Policy Institute’s International Cyber Policy Centre, Fergus Hanson, said.
“That’s how these hackers could basically write some software to script out the data.”
When the credentials were taken and when the attack first occurred is yet to be disclosed. The company has not yet revealed how many of Medibank’s 3.9 million customers could have had their data compromised.
It is unclear whether multi-factor authentication was compromised or bypassed.
“This is a preventable attack,” Hanson said on Monday. “Could they have done better? Yes, maybe they could have done better. Is every organisation gripped up to deal with this? Well, absolutely not. [But Medibank] are in a really privileged position, handling people’s healthcare data, so I think there is a genuine case to answer there.”
The Medibank hack is one of several high-profile data breaches in Australia in the past month, following the Optus data breach exposing up to 10 million customers, as well as breaches at Woolworths and Vinomofo.
The Albanese government announced companies that fail to adequately protect people’s data could face fines of $50m or more under new legislation to be introduced to parliament next week.