Medibank now says hackers accessed all its customers’ personal data

​Australian insurance firm Medibank has confirmed that hackers accessed all of its customers' personal data and a large amount of health claims data during a recent ransomware attack.

In an announcement published today, the companies warned that an internal investigation into the attack has shown that the threat actors had far greater access to customer data than initially thought.

More specifically, Medibank has confirmed that the following data was compromised:

• All ahm customers' personal data and significant amounts of health claims data.
• All international student customers' personal data and significant amounts of health claims data.
• All Medibank customers' personal data and significant amounts of health claims data.

While data access and data exfiltration are separate things, Medibank found evidence that, in some cases, the threat actors managed to remove some of the accessed data, so customers should assume that all of this data was stolen.

"As previously advised, we have evidence that the criminal has removed some of this data, and it is now likely that the criminal has stolen further personal and health claims data," explains the announcement.

"As a result, we expect that the number of affected customers could grow substantially."

Last week, Medibank assured its 2.8 million customers that there was no evidence of any customer data having been accessed or exfiltrated and claimed the hackers didn't encrypt anything before they were stopped.

However, many ransomware gangs steal corporate data before attempting to encrypt devices, which appears to have happened during this attack.

A few days after the company played down the impact of the security incident, the ransomware gang made contact to extort the company, providing a sample of 100 stolen files out of an alleged 200GB of data stolen during the attack.

Medibank soon realized that the threat actors had exfiltrated client data, so the internal investigation took a more targeted approach, eventually revealing a full-scale data breach.

Based on this development, Medibank now upgrades its response and support to customers by providing the following:

• Financial support for customers who are in a uniquely vulnerable position as a result of this crime.
• Free identity monitoring services for customers who have had their primary ID compromised
• Reimbursement of fees for re-issue of identity documents that have been fully compromised in this crime.
• Specialist identity protection advice and resources from IDCARE.
• Medibank's mental health and wellbeing support line.

Australia responds to breaches

Meanwhile, following a series of high-profile and damaging data breaches that hit several Australian firms in the past couple of weeks, the government is working to introduce stricter data protection laws.

A proposal published by the Australian Government on Saturday for the new Privacy Legislation Amendment Bill 2022 aims to:

• Increase privacy breach penalties from $2.22 million AUD to $50 million AUD,
• or three times the value of any benefit obtained through the misuse of information, if greater,
• or 30% of a company's adjusted turnover in the relevant period, if greater.

The Bill will also give the Australian Information Commissioner greater powers to resolve privacy breaches and force companies to share all details about what was compromised with the agency.

It also establishes a data-sharing channel between the Commissioner and the Australian Communications and Media Authority.