Medibank breach: Hackers start leaking health data after ransomware attack

By | 09/11/2022

Medibank is nevertheless refusing to pay a ransom of an undisclosed corporeality to cybercriminals, despite the hackers now allegedly threatening to release the stolen data on the dark web.

It’s reported the data of about ix.7 1000000 current and former Medibank customers were compromised in a alienation first confirmed by Medibank on October xiii.

The information are said to include customers’ names, dates of birth, addresses, phone numbers and electronic mail addresses – as well as some 500,000 health claims with information such as patients’ service provider details, where they received medical services and the types of treatments they claimed.

Medibank’s chief executive has said the company won’t be paying up – a decision endorsed by Abode Diplomacy Minister Clare O’Neil. Just what does the evidence say?

How was the data stolen?

According to various reports, it all started when a hacker compromised the credentials of a Medibank employee who had access to a number of the company’s information repositories.

It’s unclear whether the employee would have needed multifactor authentication to access these data – and, if so, whether this was also compromised.

It’south believed this hacker and then sold the employee’south credentials to notorious cybercriminal group REvil via an online Russian language forum. Around midnight, REvil posted on the dark spider web threatening it would release the data in the next 24 hours should the ransom not exist paid.

While there’s no evidence REvil does indeed have access to the stolen data, historically the REvil group has not been found to bluff. There’s no reason to believe this time is unlike.

Medibank first identified unusual action on its network on October 12. It then launched a follow-up investigation that confirmed the breach. We don’t know how long the cybercriminals may have had access to its systems before then.

Information technology’south reported they stole some 200GB of data in total. This is quite a large corporeality, and information technology would be unusual not to notice the exportation of this much sensitive data.

In this case, yet, it seems the criminals used some sort of pinch algorithm to minimise the data file size. This may take allowed the data extraction to be less obvious, perhaps likewise through splitting the data into smaller data packages.

To pay or not to pay?

Medibank master executive David Koczkar has said the bribe asking would non be paid, and “making any payment would increase the gamble of extortion for our customers, and put more Australians at risk”.

He said the determination is consistent with advice from cybersecurity experts and the Australian government.

This is, in fact, a smart decision. Fifty-fifty if the ransom is paid, it does not guarantee the cybercriminals will not use the stolen data for other malicious purposes, or won’t undertake further attacks against Medibank.

Police force enforcement agencies across the earth are confronting paying ransoms. Even so, there are life-threatening situations in a healthcare context, such as during remote surgery, when there may be no choice.

Cybercriminals take advantage of vulnerabilities in healthcare IT infrastructure – largely because there’south a college risk of getting a bribe paid in healthcare than in whatsoever other sector.

Often, organisations targeted will have to pay a bribe to get back access to data and go along providing healthcare services. According to one recent report the bulk of ransomware assault victims in healthcare end up paying the ransom.

As to why Medibank hasn’t disclosed the specific ransom amount, this is because this information could encourage other cybercriminals to aim for similar targets in future ransom events.

If the ransom were disclosed, and later had to be paid, Medibank’s reputation as an insurance provider would hit stone bottom. When Colonial Pipeline’southward fuel pipeline infrastructure in the US was hit by a ransomware set on, the hefty ransom payment of Usa$4.4 million left a permanent scar on the operator’south reputation.

The risks as the state of affairs unfolds

The risks for victims of the Medicare data breach must not be underestimated. This sensitive information could be used in various types of fraud.

For example, hackers may call victims of the data breach pretending to be Medibank, and ask for a service charge to take their information safeguarded. Healthcare data tin can as well be used for blackmail and fraudulent billing.

What’s more, hackers can identify the most vulnerable individuals among the list of victims and create customised assault vectors. For case, individuals with implanted devices (such every bit pacemakers) can be targeted with bribery and threats to their life.

Space to play or pause, M to mute, left and right arrows to seek, up and down arrows for book.

Play Video. Duration: 4 minutes 20 seconds

Medibank refuses to pay ransom for hacked information

Across this, cybercriminals could also use victims’ personal information to conduct a number of other scams unrelated to Medibank or healthcare. After all, if you have someone’s details it’s much easier to pretend to be any organisation or company with authority.

For those potentially affected by the Medicare data breach, the most important thing now is to remain vigilant about all types of online activity. You can commencement by replacing your passwords with more than secure passphrases. You should also consider running a credit bank check to see if whatever suspicious activeness has been conducted in your proper name.

Mohiuddin Ahmed is a Senior Lecturer in Cyber Security at Edith Cowan University. Paul Haskell-Dowland is a Professor of Cyber Security Practice at Edith Cowan University. This piece starting time appeared on The Chat.