Published:
06 December 2022
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0199.6 Unusual Activity on Medibank Network 6 December 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Medibank Cyber Security Incident Resolution: Mitigation Revision History: December 6 2022: Medibank released a statement with regards to the Medibank data breach incident November 9 2022: Medibank released further information on the Medibank cybercrime incident October 25 2022: Medibank announced a further development in Medibank cybercrime event October 20 2022: Further information on the latest development of the Medibank cyber incident October 18 2022: Received further information October 14 2022: Initial Release OVERVIEW News has emerged of an unusual activity detected on the Medibank network [1][2]. IMPACT Medibank reported that they temporarily took their AHM (Australian Health Management) and International Student Policy systems down. Medibank later announced that the systems are back online [1][2]. Medibank also reported that at this stage they have not found any evidence of sensitive data being accessed [1][2]. UPDATE 18/10/2022: Medibank has confirmed that they have found no evidence that any customer data has been removed from their systems and they have resumed their normal business activities for their customers [1]. Medibank has also announced that unusual network activity was detected on their IT network consistent with a possible ransomware attack, however their systems appear unaffected [1]. UPDATE 20/10/2022: Medibank has provided an update on the latest development of the cyber incident which is being investigated by the Australian Federal Police as a crime [1]. According to the reports, Medibank has been contacted by the alleged hacking group who have provided a sample of records for 100 policies which include: *First name and surname *Address *Date of birth *Medicare number *Policy number *Phone number *Some claims data [1] Medibank has also confirmed they the hackers have claimed to have information with regards to credit card security however this has not yet been verified by the investigations [1]. Medibank encourages its customers to seek independent advice from trusted sources[1]. UPDATE 25/10/2022: Medibank confirms information taken includes Medibank customer data in addition to that of AHM and international student customers [1]. UPDATE 09/11/2022: Medibank confirms that customer data has been released on a dark web forum that is believed to have been appropriated from Medibank systems [1]. This data includes: Names Addresses Dates of birth Phone numbers Email addresses Medicare numbers for AHM customers Passport numbers of international students Health claims data [1] Medibank states that they expect the criminal to continue to release data on the dark web [1]. UPDATE 06/12/2022: Medibank released a statement on Thursday 1 December 2022 advising that they are aware of Medibank customer data being released on the dark web overnight[1]. Medibank also stated that they are aware of the media reports which indicate that the alleged hacking group appeared to have dumped the final batch of Medibank customer data online and declared "Case closed" [1]. Medibank further stated that their investigations and support to the impacted customers will continue [1]. MITIGATION Medibank reported that the investigation will continue to understand the full nature of the incident and the potential impact on the customers [1][2]. AusCERT is aware of the situation and will keep the members updated should further information or any actionable indicators of compromise be released. UPDATE 25/10/2022: Medibank continues to analyse the issue to determine the total number of customers impacted, and which information has been stolen [1]. Further, Medibank has announced a comprehensive support package for its affected customers [1]. UPDATE 09/11/2022 Medibank advises its customers to be vigilant with all online communications and transactions [1]. Medibank further advises that the Australian Federal Police has expanded Operation Guardian to protect Medibank Private customers whose personal data has been unlawfully released online by the criminals [1]. REFERENCES [1] Medibank cyber incident https://www.medibank.com.au/health-insurance/info/cyber-security/timeline/ [2] Medibank takes systems offline after 'cyber incident' https://www.itnews.com.au/news/medibank-takes-systems-offline-after-cyber-incident-586417 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY46WXckNZI30y1K9AQhAsQ//YD7h+6sLvW09IBNqDrOEL57wYxa5Lz1y vlTj16co8l1zvLiIrbNijj2xOPrs1kp94QbZIjHp7dhyT02LbXTihS4qBiSDXDdF PDqMlMgo0cEW035CCpukr1ksnjM/HIlRTa1Jiw6kBIDdA5orL2qI431wzWBcQ6pO QZHjuSpfM/g/5mAfGkdlG9AfM3cIeFta1qPagpr447ALJ91OLo8gjyiK+qMKV7/O q3B7lxGcXQ6WBJrV7TZuz802xwATvMUIDphtAqiJnZSt7g9tCpBCjCRa3sNEXSM7 l9n9yY+s5W0X/Ox5lN/W+6/CMYqw5drRMdhNjBhlC3otQ5Pv6OTkz5ViHg8r8Eqz +IWr1avKg4AYWGT387U/Zfn/qfJXz9bm5z+08f/Rpr8pdSuM2MWYI8M8wjKPjurA vzvEt/p7a3B1gHberQjd59vJxvyesQRwDK8/G7+zDFHAmHFppmE3zRREbc4t/uKY /Ko9qaes+xlTyAt0Ej85SAA9tjua1fP/Uib84XZ6PuuCPjsNiqIZgE23q/+EEvCd klv8d4Qzbeb1XVCKlV5uDf8UsRIm5Um12z7nlHBvRWq0qfV1fQHcISLajLpPggVN x9tylBosEClJl2acGGLyddXXi7pNsav13jPHgge37ecVSqwlBfZyrqEAVvqMZeuF +/1dkPsY2KU= =H8Y+ -----END PGP SIGNATURE-----