Medibank v the hackers: how the health insurer fell to a mass data theft

Just after 1pm on 12 October, Medibank received a call from the Australian Signals Directorate. There had been chatter online that the Australian health insurance giant was about to become the victim of a ransomware attack, the spy agency warned.

Medibank had already determined there had been unauthorised access to its network and had shut off two backdoors that hackers had been using to get in and out of its systems.

There was no evidence that sensitive data had been accessed, the company said at the time. It believed the ransomware attack had been foiled.

But on 19 October, Medibank announced it had begun receiving messages from a hacker group about customer data removed from its systems. For the second time that month, it went into a trading halt.

Those communications continued from 18 to 24 Octoberas the company tried to figure out the nature of the data taken.

By 25 October, the hackers were getting impatient.

On 27 October, the hackers promised that once payment had been made they would explain to the company how the hack occurred and what it could do to prevent it happening again.

The deadline was set: Monday 7 November.

That day, the Medibank representative replied that the demands could not be met and it was Australian government policy that ransoms should not be paid.

Medibank made that position public and prepared the public for the worst, outlining exactly what had been accessed and potentially taken. In addition to the 9.7 million current and former customers whose names, dates of birth, phone numbers, email addresses and addresses were accessed, the health claims of about 160,000 Medibank customers, about 300,000 ahm customers and about 20,000 international customers were accessed by the hackers.

The hacker group then began releasing customer data on the dark web.

The following day, the group published another file containing claims made by dozens of policyholders in relation to the termination of pregnancies. On Friday, the group released files associated with 240 customers related to the harmful use of alcohol.

Medibank has now warned customers to expect days of files being published by the hackers.

On Friday the federal police commissioner, Reece Kershaw, confirmed that the hackers were located in Russia and said individuals believed to be responsible had been identified. He said the AFP would contact Russian law enforcement to pursue them.

The strong language from the government will be cold comfort for the hundreds of thousands of Medibank customers who will be nervously waiting for the daily leak of their most personal medical information.