IOTW: Everything we know about the Medibank data leak

Note: this article was updated on November 11, 2022 to reflect a development in the Australian Federal Police's investigation

The hacker responsible for a data breach of Australian health insurance provider Medibank which affected 9.7 million people has released private medical information on the dark web.

The hacker posted a file labelled “abortions” to dark web hacking site BreachForums on November 10, 2022. It apparently contains information on procedures that policyholders have claimed on, including miscarriages, terminations and ectopic pregnancies.  

The hackers also released files containing customer data called "good-list" and "naughty-list" on November 9, 2022. The so-called “naughty-list” reportedly includes details on those who had sought medical treatment for HIV, drug addiction or alcohol abuse or for mental health issues like eating disorders.

The hacker added to the November 10 data leak post, saying: "Society ask us about ransom, it's a 10 millions (sic) usd. We can make discount 9.7m 1$=1 customer."

During question time in Australian parliament on November 10, Minister of Home Affairs Clare O’Neil hit back at the hackers, saying: “I want the scumbags behind this attack to know that the smartest and toughest people in this country are coming [at] you.

“I want to say, particularly to the women whose private health information has been compromised overnight, as the minister for cyber-security but more importantly, as a woman, this should not have happened, and I know this is a really difficult time.”

David Koczkar, CEO of Medibank, called the release of the data “disgraceful” and a “weaponization of people’s private information”. He also called those involved in the cyber-attack and data leak “deplorable”.

In an attempt to protect those affected by the cyber security incident and the subsequent data leaks, Medibank urged members of the public and the media to not “unnecessarily download sensitive personal data from the dark web” and to “refrain from contacting customers directly”.

How did the breach happen?

The initial cyber security incident occurred on October 13, 2022, when Medibank detected some “unusual activity” on its internal systems. After dealing with the cyber-attack, Medibank said in a statement that there was “no evidence that customer data has been accessed” during the breach.  

Medibank was then contacted on October 17 by the malicious party, who aimed to “negotiate with the [healthcare] company regarding their alleged removal of customer data”.  

The malicious party attempted to weaponize Medibank’s customers’ private medical data to extort the medical insurer, saying that they would release the data of the“1k most [prominent] media persons” that include “[those with the] most [social media] followers, politicians, actors, bloggers, [LGBTQ+] activists [and] drug-addicted people” as well as people with “very interesting diagnoses”.

It was confirmed on October 20 that the hacker’s claims were legitimate. Medibank, however, publicly refused to bend to the hacker’s demands and said it would not pay a ransom over concerns it would “encourage the criminal to directly extort [its] customers”.  

The company also said that it had received council from cyber security experts who had said there was only a “limited chance” that paying the ransom would result in the return of the stolen data.

How we got here with @medibank. It initially said compromised login credentials were used (that may have involved VPN access). The attackers claim they accessed Redshift - an Amazon data warehousing product - via jump servers. #auspol #infosec (1/4)

— Jeremy Kirk (@Jeremy_Kirk) November 10, 2022

In a tweet on November 10, journalist Jeremy Kirk suggested that the hack took place as a result of hackers gaining access to Medibank’s internal systems via compromized login credentials, a tactic that “may have involved VPN access”.

According to Kirk, the hackers claim they used jump servers to access Amazon data warehouse Redshift. The hackers also claim that they had access to Medibank’s internal systems for a month before they were discovered. 

What data was stolen in the hack?

On November 7, Medibank revealed the true extent of the hack. The malicious actor gained unauthorized access to and stole the data for 9.7 million past and present customers.

The information included email addresses, phone numbers, addresses, Medicare numbers, names, dates of birth, passport numbers and visa details. It also encompassed the health claims data for 192,000 customers which contained private medical information including where customers were admitted for procedures, service provider names and locations and codes associated with diagnosis and procedures given.

Medibank urged all those affected to “stay vigilant” against cyber attacks that may be levelled against them because of the leak.

A full timeline of the data breach

• 13 October – Medibank notices some unusual activity on its networks. The affected networks are shut down.
• 14 October – the affected networks are restarted. Medibank releases a statement saying that there is “no evidence” that any customer data was accessed during the breach.
• 17 October – Medibank releases an update on the cyber security incident, describing the ongoing investigation into the unusual activity and recognizing that while it was “consistent with the precursors to a ransomware event”, there was still no evidence customer data had been compromised.
• 19 October – Medibank are contacted directly by the hacker, who claims to have stolen 200GB worth of customer data. The hacker attempts to negotiate the release of the information.
• 20 October – Medibank confirms that the hacker’s claims are legitimate. The Australian Federal Police starts investigating the cyber-attack.
• 7 November – the scope of the data breach is revealed, with Medibank confirming that the data of 9.7 million past and present customers was stolen in the breach. Medibank makes a public statement refusing to pay any ransom to the hacker.
• 8 November – the hacker threatens to release files on the dark web and encourages Medibank shareholders to sell their shares.
• 9 November – the hacker releases the “good-list” and “naughty-list” customer data files on the dark web. The Australian Federal Police partners with Commonwealth agencies and the Five Eyes Law Enforcement partners to investigate the cyber crime. Operation Guardian, which was previously introduced to help the victims of the Optus data breach, is extended to those affected by the Medibank data breach.
• 10 November – the hacker releases the “abortions” customer data files on the dark web and demands US$10mn to stop releasing data. 
• 11 November - The AFP, in collaboration with Interpol, linked the gang to a Russian hacking group