Just after 1pm on 12 October, Medibank received a call from the Australian Signals Directorate. There had been chatter online that the Australian health insurance giant was about to become the victim of a ransomware attack, the spy agency warned.
Medibank had already determined there had been unauthorised access to its network and had shut off two backdoors that hackers had been using to get in and out of its systems.
The next day the company informed both the ASD and the public that “unusual activity” had been detected and some systems associated with its subsidiary ahm and international student customers had been taken offline as a precaution.
There was no evidence that sensitive data had been accessed, the company said at the time. It believed the ransomware attack had been foiled.
But on 19 October, Medibank announced it had begun receiving messages from a hacker group about customer data removed from its systems. For the second time that month, it went into a trading halt.
What has been learned in the weeks since is that a group of hackers, believed to be connected to the REvil Russian ransomware criminal organisation, had been in Medibank’s systems for a month – at least according to claims the hacker group made in communications with Medibank that were later leaked.
Those communications continued from 18 to 24 Octoberas the company tried to figure out the nature of the data taken.
The way in appears to have been through compromised credentials of someone with high-level access to Medibank’s systems. The credentials were obtained by another party and then sold to the hackers on a Russian cybercriminal forum.
In the leaked communications,the company’s security team mentioned access to the system via a virtual private network connection. The hackers also said they managed to get the customer data from the Amazon data warehouse product Redshift.
The hackers claimed to have extracted about 200GB from Medibank’s systems after compressing it to 5GB.
After days of back and forth the hackers contacted Medibank’s chief executive, David Koczkar, on WhatsApp, noting that his team had been “quite shy” about negotiations and threatening to target high-profile people including influencers, politicians and LGBTQ+ activists using details from their Medibank files. The group sent through what it called a “naughty list” of what they said were “very interesting diagnoses”.
By 25 October, the hackers were getting impatient.
“Judging by your public statements, you are not in the mood for negotiations and we have nothing to do but start posting data and also inform users that their data has been compromised and this is purely the fault of your company,” they said in an email.
The company was given a day to begin negotiations for a payment – at that time no amount had been discussed.
The hackers then offered to go through an “affiliate program”, which they claimed would certify that they would delete the data if the ransom was paid. In this exchange= the hackers confirmed that they had intended to lock up Medibank’s systems in a ransomware attack but found they did not have time.
On 27 October, the hackers promised that once payment had been made they would explain to the company how the hack occurred and what it could do to prevent it happening again.
By 2 November, the Medibank representative told the hackers the company was under “huge pressure” to understand the extent of the data breach and asked for more time – until the weekend – noting that Medibank had not publicly discussed being in conversation with the hackers.
But the hackers weren’t buying it, saying if more time was sought, they would begin contacting the most sensitive customers and passing their health data on to them.
The deadline was set: Monday 7 November.
That day, the Medibank representative replied that the demands could not be met and it was Australian government policy that ransoms should not be paid.
Medibank made that position public and prepared the public for the worst, outlining exactly what had been accessed and potentially taken. In addition to the 9.7 million current and former customers whose names, dates of birth, phone numbers, email addresses and addresses were accessed, the health claims of about 160,000 Medibank customers, about 300,000 ahm customers and about 20,000 international customers were accessed by the hackers.
The hacker group then began releasing customer data on the dark web.
There was the “naughty list” that included information about treatment for drug addictions or mental health issues, as well as a “good list” that contained generic hospital procedure claims. There were about 100 customers in each file.
The following day, the group published another file containing claims made by dozens of policyholders in relation to the termination of pregnancies. On Friday, the group released files associated with 240 customers related to the harmful use of alcohol.
Medibank has now warned customers to expect days of files being published by the hackers.
The home affairs minister, Clare O’Neil – herself a Medibank customer – labelled the hackers “scumbags” and said the full force of the Australian federal police and the ASD was being used to hunt them down.
On Friday the federal police commissioner, Reece Kershaw, confirmed that the hackers were located in Russia and said individuals believed to be responsible had been identified. He said the AFP would contact Russian law enforcement to pursue them.
“We know who you are and, moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system,” he said.
The strong language from the government will be cold comfort for the hundreds of thousands of Medibank customers who will be nervously waiting for the daily leak of their most personal medical information.