October 26, 2022
The federal government has activated emergency provisions to marshal all relevant agencies and departments behind its response to the Medibank cyberattack, in a sign of its growing concern about the escalating incident which may have affected up to 4 million Australians.
The move to activate the national coordination mechanism (NCM), a framework set up during the COVID-19 pandemic, comes after Medibank on Tuesday admitted hackers may have obtained the private medical records of customers of its flagship brand. The company had previously insisted that only its smaller, budget brand ahm and international student customers were affected. “This is a distressing development and Medibank unreservedly apologises to our customers,” it said in a statement to the ASX confirming the widening scale of the attack.
Home Affairs Minister Clare O’Neil told parliament on Tuesday that she had activated the NCM which means all the necessary Commonwealth agencies and departments have been corralled to deal with the attack. These include the Australian Federal Police, Australian Signals Directorate, Australian Cyber Security Centre, Department of Home Affairs, Services Australia and the Department of Health.
“What we can see is Medibank is just as complex and urgent as some of what was dealt with [during the pandemic],” O’Neil said on Tuesday. “When it comes to the personal health information of Australians, the damage here is potentially irreparable”.
The stolen data is from current and former customers and includes names, addresses, birthdates, Medicare numbers, contact information and claims data from the private health insurer. The list of Medibank customers affected potentially includes high-profile Australians.
“Australians who are struggling with mental health conditions, drug and alcohol addiction, with diseases that carry some shame or embarrassment – they are entitled to keep that information private and confidential,” O’Neil said in parliament.
Senator James Paterson, the shadow minister for cybersecurity, criticised the government for a slow response to the attacks and said that despite the company’s initial denials customers’ worst fears have now been realised.
“After a slow and confused response to the Optus cyberattack, it is concerning that it took Cybersecurity Minister Clare O’Neil a week to publicly respond to the Medibank hack,” he said.
“Ms O’Neil should explain why she accepted the company’s initial denial [that] this was serious, delaying government engagement by a week. Every day lost worsens the damage done.”
O’Neil said she expected Medibank “to continue to swiftly provide the government with all information it needs as a matter of urgency.”
Medibank said on Tuesday that it had received further details from the hackers. This includes a file of a further 1000 policy records from its budget brand ahm – including personal and health claims data. It said the files also contained some Medibank customer data.
Medibank chief executive David Koczkar said the company continued to work closely with agencies of the federal government, including the ongoing criminal investigation into this matter.
“This is a malicious attack that has been committed by criminals with a view of causing maximum fear and damage, especially to the most vulnerable members of our community,” he said.
Medibank said it would begin contacting current and former customers to recommend steps they could take.
It urged customers to remain vigilant to suspicious communications received via email, text or phone call.
The escalation of the Medibank crisis comes nearly two weeks after the company first confirmed the hacking incident on October 14. Medibank initially said there was no evidence that customer data was accessed in the attack.
That changed last week when Medibank received a threat from the hackers – which was also obtained by The Sydney Morning Herald and The Age. The unknown group said they would sell 200 gigabytes of stolen data unless Medibank paid a ransom. The hackers also threatened to release confidential records of Medibank’s 1000 most famous customers.
Medibank has close to 4 million customers and a market value of nearly $10 billion.
Logs obtained by cybersecurity researchers and seen by The Sydney Morning Herald and The Age indicate someone with access to internal Medibank systems had their company login credentials stolen from their web browser. The credentials were stolen some time around August 7.
Current investigations have confirmed that these details were then sold online to the party who accessed Medibank’s systems and copied the health records by deploying a tool on the platform to harvest customer data at a large scale.
Medibank does not believe the hacker is state-sponsored, but no further details of their origins are known.
Shares of the $10-billion company have been suspended from trading since last week, but are due to come out of its suspension on Wednesday morning.