As reported by Medibank, an Australian health insurance giant, every one of its customers had their personal information accessed by ransomware actors—which happened a few days after Medibank had downplayed the aftermath of a recent breach.
In a newly issued statement, Medibank admitted that the threat actors might have compromised all of its customers’ personal data, including that of international students and policyholders with Medibank business ahm.
In other words, it’s possible that an estimated four million Australians have been subjected to the danger of phishing attacks and follow-on fraud.
The compromised data may include customers’ names, addresses, date of birth, Medicare numbers, policy numbers, phone numbers, and claims data—international students may even have had their passport numbers stolen.
“The criminal also claimed to have stolen other information, including data related to credit card security,” Medibank’s statement said. “We are in the process of verifying this allegation. Our procedures restrict us from retaining full credit card numbers and we do not hold CVV numbers.”
At first, Medibank had promised its customers that none of their personal data had been accessed during an extortion attack, as it had stopped the attacking party prior to their initiation of the ransomware payload.
The attackers later contacted Medibank, however—claiming that they had actually stolen nearly 200GB of data from the company before Medibank realized what was happening, and even sent Medibank a sample for verification.
Since Medibank is still conducting an investigation on the matter, it doesn’t yet know the exact number of affected customers.
Medibank noted, “As previously advised, we have evidence that the criminal has removed some of this data and it is now likely that the criminal has stolen further personal and health claims data. As a result, we expect that the number of affected customers could grow substantially.”
According to other reports, the breach might have cost Medibank tens of millions of dollars, especially since it lacks cyber-insurance.
Because of the conflicting public statements released by Medibank, customer outrage will only increase, not to mention it will serve as an example as to how Medibank reacts to incidents and addresses them in real-time.
The managing CISO at Barrier Networks, Jordan Schroeder, championed that companies must make it a priority to improve cyber-resilience—because doing so would facilitate the process of determining the attack blast radius once a threat actor has forced their way into a network.
Schroeder said, “This latest update comes only a few days after the company had said no customer data was compromised, so it certainly raises some alarm bells about the handling of the incident and investigation into the breach,”
“However, in fairness, Medibank is not alone,” he adds. “Breach investigations are a long process, and it can sometimes take months to fully understand the scale and impact of attacks.”