A major cybersecurity incident has occurred at Medibank Private just weeks after one-third of Australians had their information held to ransom in the Optus data breach.
As one of Australia’s biggest health insurance providers, Medibank holds information that includes intimate medical records, making the breach orders of magnitude more serious than the Optus hack.
There was another data breach earlier this week of the online wine retailer Vinomofo, which led to the records of 700,000 users being sold on a Russian-language cybercriminal forum.
In the wake of the Medibank breach, the cybersecurity minister, Clare O’Neil, warned of a new world “under relentless cyber-attack”, while Australia’s security agencies scrambled to manage the fallout.
Here is what we know so far about the data breach.
What happened?
On 13 October, Medibank said it had taken offline the data and policy systems of its budget provider, ahm, and its international student division after a “cyber incident”. The next day the company announced it had restored systems and said it was “still responding” to the incident.
The situation developed on Wednesday when Medibank disclosed to the Australian stock exchange that hackers had contacted the company to “negotiate” over the future of 200 gigabytes of customer data they said had been stolen from company systems.
Although Medibank initially claimed there was “no evidence that customer data has been accessed”, the public learned the scale of the breach on Thursday as the Australian Signals Directorate and the Australian federal police started to investigate.
How did the attack occur?
Medibank is understood to still be investigating but it is thought someone gained access using fake or compromised user credentials.
What do we know about what was taken?
The hacker shared a sample of 100 policies for verification. This information contained names, addresses, dates of birth, Medicare numbers, phone numbers and medical claims data – including information about diagnoses, procedures and the location of medical services.
In a statement the insurer said the hacker also claimed to hold credit card information, but this has not been confirmed. The sample is believed to come from ahm and contain information about international students who were policyholders.
How many people does it affect?
Medibank has about 4 million customers but it is not known at this stage how many were caught in the breach.
Who is at risk?
So far it has been confirmed international students have been affected, since private health insurance is a requirement when they come to study in Australia. This is concerning as many students have moved from countries where their medical information could be used against them.
Anyone who holds a policy with Medibank should be on notice. Nine newspapers reported the hackers have threatened to release the information of the 1,000 most high-profile Australians if their demands are not met.
What does the company say?
Medibank’s chief executive David Koczkar has “unreservedly” apologised for the breach.
“I apologise and understand this latest distressing update will concern our customers,” he said. “We have always said that we will prioritise responding to this matter as transparently as possible.
“Our team has been working around the clock since we first discovered the unusual activity on our systems, and we will not stop doing that now. We will learn from this incident and will share our learnings with others.”
What does the government say?
Speaking to the ABC on Thursday morning, O’Neil warned Australians of more attacks in the future.
“This is the new world that we live in,” she said. “We are going to be under relentless cyber-attack, essentially from here on in. And what it means is that we need to do a lot better as a country to make sure that we are doing everything we can within organisations to protect customer data, and also for citizens to be doing everything that they can.”
O’Neil said the Medibank and Optus breaches amounted to a “huge wake-up call” that showed the need for an overhaul of information and privacy protections.
What can you do if you’re affected?
It is difficult for an individual person to respond to a data breach of this size and scale. Criminals will typically use this information to take out fake loans or use credit card information to make purchases. To manage this risk people can contact Equifax for credit monitoring and replace credit cards.
Other risks can be managed by reviewing security settings on social media platforms, closing old and unused accounts and being careful about what is posted. This prevents criminals from gleaning contextual information.