When the Medibank cyber attack first came to light two weeks ago, the insurance company was still investigating the incident, but assured everyone no customer data had been compromised. That changed yesterday when Medibank admitted its investigations revealed the attack was bigger than first thought.
It initially believed only customers with AHM and international students’ policies might have been targeted. Now, the company says cybercriminals accessed almost all of its 3.9 million customers’ personal data as well as a considerable amount of health claims information. This can include highly sensitive information about people’s personal health, mental health, the medication they use, and the procedures they’ve undergone.
Medibank also admitted that patient information relating to My Home Hospital was compromised too. This is a service delivered through a joint venture between Calvary and Medibank on behalf of Wellbeing SA and the South Australian Government.
“I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community,” chief executive David Koczkar said in a statement.
While the company first suspected it was an attempted ransomware attack, Medibank now says none of its systems have been encrypted by ransomware, but it’s continuing to monitor the situation. The insurer has also started handing out cybercrime support packages to affected customers and provided tips on what patients should do now.
The Medibank breach is the latest in a series of cyber attacks on Australian companies that have collectively compromised over half the country’s residents. This has created increasing alarm among organizations and the government sector.
While Sydney is celebrating its wettest year on record, most Australians are looking at an altogether different kind of record. The country has had an unprecedented year in terms of cyber breaches in 2022, with Medibank the latest to fall victim to a potential ransomware attack.
Most of the major attacks this year occurred within the last two months, and some of the affected companies include Optus, Telstra, Woolworths, and now Medibank. Of all these, it seems the Medibank hack has caused the least amount of damage, at least so far. While it quickly assured the media that no customer data has been compromised, the private health insurer hasn’t revealed a lot of information about the attack just yet.
These events spark a concerning outlook for Australians’ data privacy, as millions of citizens’ information has now been compromised in the retail, health, and telecommunications sectors. In total, the personal or employee data of around 12.4 million Australians has been compromised in a matter of weeks. That’s nearly half the country.
Medibank’s Ransomware Attack Still Light on the Details
Medibank reported that it had detected unusual activity on its client-facing systems on Wednesday, 12 October. The company claims it took “immediate steps to contain the incident, and engaged specialized cybersecurity firms” to start resolving the issue.
Part of Medibank’s containment procedure involved isolating some of its client systems. The AHM (Australian Health Management) and international student policy management systems were taken offline for two days. Most of the company’s services functioned normally though.
According to the company’s messaging, it took down some customer-facing systems to reduce the likelihood of damage to systems or data loss. While the insurer called this a “cyber incident” at first, it later released an update stating the unusual activity it detected is consistent with the precursors to a ransomware event.
Medibank has repeatedly stated in its communications that it hasn’t found any evidence to suggest client data was compromised. At the same time, the company is still in the process of investigating the incident, which means things could change as they make progress.
“I apologise and acknowledge that in the current environment this news may make people concerned,” Medibank CEO David Koczkar added in a statement. The current environment being that Australia is experiencing an unprecedented number of major cyber attacks in quick succession, which is a cause for concern.
A Bad Year for Digital Privacy in Australia
Even though Medibank specified no customer data has been stolen in this breach, plenty of Australians’ personal information has been compromised already. This includes extremely sensitive details, like people’s ID numbers, physical addresses, dates of birth, driver’s licenses, and passport numbers.
For most people, the compromised data also includes their email addresses, phone numbers, and their name/surname. These might seem insignificant compared to the type of information mentioned above, but don’t be fooled into being complacent. Cybercriminals pay generous amounts of money for precisely this kind of datasets as they can wreak all sorts of havoc with it, including targeted email phishing attacks, crypto scams, and SMS phishing attacks.
These phishing scams can be very convincing, because they can personalize it using your stolen details. Criminals can also use the stolen data to track you down in real life or conduct identity theft. That’s why your data is valuable — and why cybercriminals are always itching to get their hands on it. Even something as “small” as a stolen email address can cause real-world harm for its owner.
Australians: Time to Make Data Privacy and Security a Priority
Various cries for policy change have followed in the wake of these attacks. Australian Prime Minister Anthony Albanese has proposed an amendment to the country’s Telecommunications Regulations 2021 Act. This amendment will allow companies to temporarily share information with approved banks and government agencies.
In theory, Albanese’ suggestion will help these institutions be more vigilant and act swiftly with enhanced monitoring for customers affected by an attack. Sadly, Australian officials haven’t proposed any changes to Australia’s data privacy regulations that would give consumers more power over their data or limit corporations more in terms of their data collection and storage practices. At least one person in parliament questioned this lack of action:
One significant question is whether the cyber security requirements that we place on large telecommunications providers in this country are fit for purpose.Cybersecurity Minister Clare O’Neil
This hasn’t spurred any new regulatory changes yet though. Since official channels are lax to change the status quo, it’s up to individual Australians to protect their own data — at least as much as possible. That means following basic cyber hygiene practices, using more secure passwords, enabling multi-factor authentication, and using a VPN to encrypt your connection.
CyberGhost VPN uses uncrackable 256-bit AES encryption to secure all of your internet traffic, including your apps and instant messages. We also route your connection through secure RAM-only servers in locations of your choosing that don’t log your data.
The result is safe, worry-free browsing every time. Although it’s important to keep in mind that any information you willingly enter into a website can still be compromised, even if you end up not submitting it.