-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2022.0199.6
                   Unusual Activity on Medibank Network
                              6 December 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Medibank Cyber Security Incident
Resolution:       Mitigation

Revision History: December  6 2022: Medibank released a statement with regards to the Medibank data breach incident
                  November  9 2022: Medibank released further information on the Medibank cybercrime incident
                  October  25 2022: Medibank announced a further development in Medibank cybercrime event
                  October  20 2022: Further information on the latest development of the Medibank cyber incident
                  October  18 2022: Received further information
                  October  14 2022: Initial Release

OVERVIEW

        News has emerged of an unusual activity detected on the Medibank network [1][2].


IMPACT

        Medibank reported that they temporarily took their AHM 
        (Australian Health Management) and International Student 
        Policy systems down.
        
        Medibank later announced that the systems are back online [1][2].
        
        Medibank also reported that at this stage they have not found any evidence
        of sensitive data being accessed [1][2].
        
        UPDATE 18/10/2022:
        
        Medibank has confirmed that they have found no evidence that any customer
        data has been removed from their systems and they have resumed their
        normal business activities for their customers [1]. 
        
        Medibank has also announced that unusual network activity was detected on
        their IT network consistent with a possible ransomware attack, however
        their systems appear unaffected [1].
        
        UPDATE 20/10/2022:
        
        Medibank has provided an update on the latest development of the cyber
        incident which is being investigated by the Australian Federal Police
        as a crime [1].
        
        According to the reports, Medibank has been contacted by the alleged
        hacking group who have provided a sample of records for 100 policies
        which include:
        
        
        *First name and surname
        *Address
        *Date of birth
        *Medicare number
        *Policy number
        *Phone number
        *Some claims data [1]
        
        Medibank has also confirmed they the hackers have claimed
        to have information with regards to credit card security
        however this has not yet been verified by the investigations [1]. 
        
        Medibank encourages its customers to seek independent advice from
        trusted sources[1].
        
        UPDATE 25/10/2022:
        
        Medibank confirms information taken includes Medibank
        customer data in addition to that of AHM and international student
        customers [1].
        
        UPDATE 09/11/2022:
                
        Medibank confirms that customer data has been released on a dark web
        forum that is believed to have been appropriated from Medibank systems [1].
                
        This data includes:
                
        Names
        Addresses
        Dates of birth
        Phone numbers
        Email addresses
        Medicare numbers for AHM customers
        Passport numbers of international students
        Health claims data [1]
                
        Medibank states that they expect the  criminal to continue to release
        data on the dark web [1].
        
        UPDATE 06/12/2022:
        
        Medibank released a statement on Thursday 1 December 2022 advising
        that they are aware of Medibank customer data being released on the
        dark web overnight[1].
        
        Medibank also stated that they are aware of the media reports which indicate
        that the alleged hacking group appeared to have dumped the final batch of Medibank
        customer data online and declared "Case closed" [1].
        
        Medibank further stated that their investigations and support to the impacted
        customers  will continue [1].


MITIGATION

        Medibank reported that the investigation will continue to understand 
        the full nature of the incident and the potential impact on the customers [1][2].
        
        AusCERT is aware of the situation and will keep the members updated
        should further information or any actionable indicators of compromise
        be released. 
        
        UPDATE 25/10/2022:
        
        Medibank continues to analyse the issue to determine the total number
        of customers impacted, and which information has been stolen [1].
        
        Further, Medibank has announced a comprehensive support package for its affected customers [1].
        
        UPDATE 09/11/2022
                
        Medibank advises its customers to be vigilant with all online communications
        and transactions [1].
                
        Medibank further advises that the Australian Federal Police has expanded
        Operation Guardian to protect Medibank Private customers whose personal
        data has been unlawfully released online by the criminals [1].


REFERENCES

        [1] Medibank cyber incident
            https://www.medibank.com.au/health-insurance/info/cyber-security/timeline/

        [2] Medibank takes systems offline after 'cyber incident'
            https://www.itnews.com.au/news/medibank-takes-systems-offline-after-cyber-incident-586417

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY46WXckNZI30y1K9AQhAsQ//YD7h+6sLvW09IBNqDrOEL57wYxa5Lz1y
vlTj16co8l1zvLiIrbNijj2xOPrs1kp94QbZIjHp7dhyT02LbXTihS4qBiSDXDdF
PDqMlMgo0cEW035CCpukr1ksnjM/HIlRTa1Jiw6kBIDdA5orL2qI431wzWBcQ6pO
QZHjuSpfM/g/5mAfGkdlG9AfM3cIeFta1qPagpr447ALJ91OLo8gjyiK+qMKV7/O
q3B7lxGcXQ6WBJrV7TZuz802xwATvMUIDphtAqiJnZSt7g9tCpBCjCRa3sNEXSM7
l9n9yY+s5W0X/Ox5lN/W+6/CMYqw5drRMdhNjBhlC3otQ5Pv6OTkz5ViHg8r8Eqz
+IWr1avKg4AYWGT387U/Zfn/qfJXz9bm5z+08f/Rpr8pdSuM2MWYI8M8wjKPjurA
vzvEt/p7a3B1gHberQjd59vJxvyesQRwDK8/G7+zDFHAmHFppmE3zRREbc4t/uKY
/Ko9qaes+xlTyAt0Ej85SAA9tjua1fP/Uib84XZ6PuuCPjsNiqIZgE23q/+EEvCd
klv8d4Qzbeb1XVCKlV5uDf8UsRIm5Um12z7nlHBvRWq0qfV1fQHcISLajLpPggVN
x9tylBosEClJl2acGGLyddXXi7pNsav13jPHgge37ecVSqwlBfZyrqEAVvqMZeuF
+/1dkPsY2KU=
=H8Y+
-----END PGP SIGNATURE-----