After hitting Australian telecommunications company Optus, in which the information of over 9 million users has been exposed, cybercriminals have victimized another company — Medibank, one of the largest Australian insurance companies.
Following the data breach on Medibank, threat actors have released the personal health information of millions of users they obtained in the attack.
It’s expected that even more data will be leaked on the dark web. The affected users are being contacted regarding possible phishing schemes.
What do we know about the incident and data leaked on the dark web so far? How can businesses protect their assets from similar attacks?
Keep reading to find out more.
Data Breach On Medibank
On October 12, the Medibank security team noticed hacking activity on their network. They managed to stop the ransomware, a type of malware that encrypts files on devices to demand ransom in exchange for the key that unlocks them.
Regardless, even though they managed to contain the ransomware, the threat actors had already managed to obtain the information of over nine million customers.
Hackers used the information they stole to demand payment for not leaking the data on the dark web.
Who is responsible for the Medibank attack?
Not much is known about the hacking group besides that they’re working outside of Australia, but it’s suspected that the criminals behind the breach are a group known as REvil.
As a result of this hack, the sensitive data of over 9.6 million former, as well as current users, already is or is likely to be leaked on the dark web.
Medibank User Compromised
On November 9, after the deadline for paying the ransom expired, cybercriminals started to leak the data on the dark web.
This information includes personal data that can lead to further criminal activity.
As Medibank disclosed on their website: “We have become aware that the criminal has released files on a dark web forum containing customer data that is believed to have been stolen from Medibank’s systems.
This data includes personal data such as names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for Ahm customers (not expiry dates), in some cases, passport numbers for our international students (not expiry dates), and some health claims data.”
The user’s data has been separated into two lists — “nice” and “naughty”.
The list dubbed “naughty” contains information about the customer’s substance abuse, HIV, and more.
Paying a Ransom Was Not an Option
According to Statista, 71% of companies worldwide have been targeted with ransomware in 2022. Approximately 72% of victimized companies have reported paying the ransom and recovering personal information.
Cyber attacks such as ransomware target more than finances — they also aim at running a reputation of a business. Criminal targeting Medibank made that clear by advising others to “sell their Medibank stocks”.
For many companies, paying seems to be the best way to regain the information, avoid public scrutiny, and keep the incident under wraps.
Under the pressure of an attack, companies see it as a way to avoid negative media attention as well as prevent having to pay for the high cost of rebuilding their entire infrastructure.
However, paying the ransom is not advisable, and it’s illegal since it funds further criminal activity.
For Medibank, paying has not been an option: “Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” said Medibank’s CEO David Koczkar
Even if Medibank did oblige the hacking demands, there was no guarantee that criminals would have met their end of the deal and not released the data regardless.
How Can Such Cyberattacks Be Prevented?
Could this attack have been avoided?
This case is a reminder that even the companies that already heavily invest in security are prone to successful cyberattacks. New hacking methods appear every day, and organizations can have exploitable vulnerabilities at any given time.
The best businesses can do is to have layered security that consists of several solutions that cover all to protect every device, data, and person linked to the network.
Both the data and the security tools that guard the company that is circling the system have to be managed and kept under control.
The infrastructure of every company is unique, which means that they’ll require versatile tools such as:
- Breach and Attack Simulation for management
- Attack-specific tools such as anti-ransomware
- Basic security solutions such as firewalls and anti-malware, antivirus
- Employee awareness training (for phishing since it predominantly targets workers)
Breach and Attack Simulation is an AI-powered tool that tests security solutions 24/7. It updates the findings in real-time.
The tool is continually updated with the latest findings from the MITRE ATT&CK Framework.
As a result, it can discover the flaws that need patching up before hackers find them and exploit them to breach the company and obtain sensitive information.
What’s Next For the Affected Customers?
Medibank is currently investigating the incident and closely working with the Australian Government, Cyber Security Center, and Federal Police.
It’s expected that even more data is about to be released on the dark web in the days that follow.
They’re also notifying the affected users whose data has been compromised in the breach to let them know which information has been stolen and what they can do to protect themselves from fraud.
As for the users whose data has already been leaked on the dark web, they’re advised to keep an eye on possible phishing schemes since it’s likely that they’ll be contacted directly, change their passwords into strong ones, and not open any messages from unknown users.
Also, what follows is a possible class lawsuit by Medibank users. Two law firms have already started building the case.