Introduction
There is an accompanying checklist which lists the checks and actions relating to what you should do if you find yourself in this situation. It’s likely many readers have already received this dreaded news by email or text from a company they do business with and thought to themselves ‘well what now?’
This article uses the cyberattack on Medibank at the end of 2022 as a case study of how these events tend to play out. The company is one of Australia’s largest private health providers covering over 3.5 million people in 2021. The parts of the article relating to the firsthand account is based on information provided by a deidentified policy holder we’ll name Sue inclusive of an informal interview and forwarded communications to us.
Timeline of events and public announcements
- 12th October: Medibank CEO David Koczkar receives internal communication of suspicious activity detected in the company’s network
- 13th October: Medibank announces this to the public but says there isn’t evidence to suggest customer data was compromised
- 14th October: Medibank sends emails and text messages to customers informing them that some systems are offline while they are investigating
- 17th October: Medibank makes another public update on the investigation saying while the event is ‘consistent with the precursors to a ransomware event’ there is still no evidence of compromised customer data
- 19th October: The bad actors responsible contact Medibank with a sample of 100 customer records to show they have successfully compromised customer data. They claim to have over 200GB worth of customer data and begin negotiation the release of information
- 20th October: Medibank announces that the claims made by the bad actors is legitimate and the Australian Federal Police (AFP) have joined the investigation
- 26th October: Medibank announces that compromised data is inclusive of Medibank, AHM (Medibank’s ‘value’ insurer), and international student customers
- 7th November: The full scale of the attack is revealed by Medibank announcing that 9.7 million customers, past and present, were impacted. The bad actors demand Medibank pay a US$10 million ransom otherwise they will release the data to the Dark Web. Medibank, based on advice, says it will not pay the ransom
- 9th November: The bad actors release some customer data on the Dark Web including a “good list” and a naughty list” with the latter identifying customers who have undergone treatment for drugs, alcohol or with mental disorders.
- 10th November: The bad actors release data to the Dark Web related to customers who had abortions
- 11th November: The AFP in collaboration with Interpol link the attack to a Russian hacking group
For more details about each event and announcement visit the dedicated Medibank page linked here
We don’t want to spend too much time on the background of this as we’re focussed on the cybersecurity of everyday people, not companies. The last thing we’ll discuss is how this is believed to have happened before we move on to what this article is all about.
It must be said that at the time of writing this is still unconfirmed, but reports suggest that a person with high-level access to Medibank’s systems had those credentials stolen by a bad actor. This bad actor then put the credentials up for sale on a Russian cybercrime forum where they were purchased by the group of bad actors responsible for the attack and ransom demands.
The group of bad actors responsible found the location of a customer database and used their privileged credentials to write a script which automated the exfiltration of the customer data. The data was placed into a zip file and two backdoors were established to extract that data through. It is believed that Medibank’s security team detected suspicious activity at this point and shut down both back doors but by then 200GB of data were stolen.
What customer data was stolen?
Now we can finally talk about you, the customer, the victim, the person who doesn’t need this headache leading into the festive season. The highlighted below is taken directly from Medibank’s timeline linked earlier:
Based on our investigation to date into this cybercrime we currently believe the criminal has accessed:
- Name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives. This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers
- Medicare numbers (but not expiry dates) for ahm customers
- Passport numbers (but not expiry dates) and visa details for international student customers
- Health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers. This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered. Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed and around 2,900 next of kin of these patients have had some contact details accessed
- Health provider details, including names, provider numbers and addresses
We believe the criminal has not accessed:
- Credit card and banking details
- Primary identity documents, such as drivers’ licences, for Medibank and ahm resident customers. Medibank does not collect primary identity documents for resident customers except in exceptional circumstances
- Health claims data for extras services (such as dental, physio, optical and psychology)
The situation in Sue’s words
In the middle of October when news broke that Medibank suffered a data breach I didn’t think much of it. They said they didn’t believe customer data was compromised and they’re a reputable, premium branded company so my gut told me nothing would probably come of it. As the days passed the breached remained in the news and Medibank was communicating more than I thought they would so I started to pay closer attention.
It felt as every update was more bad news, it didn’t look like the tide was turning in Medibank’s favour but I always had that ‘it will never happen to me’ outlook in the back of my head. When things hit the fan in the second week of November and it came to light that not only current but also past customer data was stolen and a ransom was being demanded, this was the first time I really had that ‘oh no’ moment. That’s when it really sunk in that it was very unlikely that I wouldn’t be affected considering past customers were.
In their updates Medibank gradually started including more and more information relating to what I should be doing in terms of advice and what support was being provided. Whilst it was well intentioned it also felt obligatory, and it was quite vague. Advice such as being alert for scams and changing passwords to strong ones seemed quite general or broad. On the support side it was links to websites and all these different 13 and 1800 numbers to various call centres such as their own dedicated ones, mental health, hardship and similar.
To be honest it was overwhelming, not from the complexity so much but from the broad-brush approach to the content. I didn’t understand the breadth of risk here – I mean do I need to go change the password every account I have? Do I need to cancel some identity documents? Should I change my phone number as a precaution because I get two factor authentication messages there.
On the 14th of December Medibank emailed saying ‘We’re deeply sorry to inform you that we believe some data relating to your membership has been stolen and released on the dark web in the recent cybercrime event.’ On the same day my Bitdefender Digital Identity Protection (not a plug) also notified me that my private data was releases to an untrusted environment (the Dark Web) so I’m glad these monitoring service work.
I understand these things happen, but it feels the advice from the company is general, in that the next company to have a data breach will send the same tips and provide the same phone numbers for support services. To be honest I haven’t actually done much because I think I need to sit down in peace on weekend and take a deep dive into it to actually identify what the risks are for myself.
Why aren’t we criticising Medibank?
We very easily can but fundamentally it’s not our focus, we’re looking at the response to this and future such scenarios for you. There are plenty of cybersecurity journalists who will write plenty of articles outlining where Medibank could / should have done better. Such articles are for written for the business community (the Chief Information Officer type roles) and in a way to instigate change to company policies based on lessons learned. We focus on responding when this type of thing happens because we write for the everyday person. Each of us on the other end of the screen reading this has limited material impact on how a large organisation secures their internal systems and access controls. Furthermore, the biggest, the most reputable, and the best resourced companies in the world continue to suffer these types of breaches. We need to take our own precautions as everyday people rather than correlate the credibility, reputation, or size of a company with the cybersecurity culture.
We focus on preparing our readers for this type of thing when it happens to you the first time or responding quicker and better next time. Simply put we want to help Sue given how overwhelmed she was rather than help Medibank because the latter has enough attention.
It’s safe to say as time goes on data breaches and releases like this will become more commonplace (they already are if we’re being honest). Right now, if it happens to you three times a year, you’d consider yourself unlucky, perhaps in five years that will be normal? However, in five years’ time hopefully the value of that data will be far less because you’ve been a Privacy Rightfully follower for those years.
‘Well, what now?’
So, imagine you find yourself in Sue’s position or perhaps you already have in the past. That dreaded message has found its way to you from a company you do business with – they’ve had a data breach and your data was stolen, what should you do? Naturally there are some variables at play such as the nature, volume, and sensitivity of the data involved but if you recall our article linked here you know that data is more valuable when pieced together. So even if it was low value or volume data bear in mind technology exists to match it with past data leaks and other sources of information to make it valuable. You should always act when there has been a data breach event at a company you currently do or historically did business with.
In terms of increasing risk based on data type, consider:
- Names and email address are relatively low risk and generally lead to receiving a lot of spam in the worst-case scenario
- Residential address steps it up a notch because where you live and sleep is exposed which becomes more of a physical risk (especially if you’re single or survivor of domestic violence). However, it’s still considered low risk as online bad actors typically don’t focus on stalking, burglary, etc.
- Date of birth along with the above information carries added risk as it is used as a personal identifier leading to identity theft
- Bank details and card numbers with the above information can allow bad actors to take out loans and credit cards in your name
- Your country’s equivalent of the US Social Security Number (SSN) or Tax File Number (TFN) in Australia with some combination of the above gives bad actors even more options such as opening entities in your name.
‘Well, what now?’ – jump on to our Checklist for when you’re notified your data has leaked, linked here.
Conclusion
Without prompting Sue pointed out one of the major reasons we do what we do at Privacy Rightfully – cybersecurity is overwhelming! We’re pushed to have all these online accounts and conduct business online but when there’s a breach where is the support? The affected companies help to varying degrees of effectiveness but it’s typically broad and obligatory based on local laws.
Everyday people are collateral damage so at Privacy Rightfully we believe we need to take matters into our own hands as everyday people. From response, to education, to future precautions we’re hoping to help you each step of the way to minimise the damage that comes out of situations beyond your control. You can’t control how companies secure their customer data, but you can control what and how much you give them in the first place and know how to respond if you get that dreaded notification.
This article is written in line with our Terms & Conditions and Disclaimer. As such all content is of a general nature only and is not intended as legal, financial, social or professional advice of any sort. Actions, decisions, investments or changes to device settings or personal behaviour as a result of this content is at the users own risk. Privacy Rightfully makes no guarantees of the accuracy, results or outcomes of the content and does not represent the content to be a full and complete solution to any issue discussed. Privacy Rightfully will not be held liable for any actions taken by a user/s as a result of this content. Please consider your own circumstances, conduct further research, assess all risks and engage professional advice where possible.