Cybersecurity News

Major twist in Medibank hack: customer data exposed

Written by StickmanCyber Team | Oct 26, 2022 2:48:58 AM

Medibank has revealed today morning that all their customers - including those with AHM and international - have had their personal data exposed to hackers. The data includes ‘significant amounts’ of health claims. With millions of customers affected this cyberattack could eclipse the impact Optus’s recent data breach had.

Our founder and CEO, Ajay, was interviewed by news.com.au on his immediate thoughts on this alarming turn of events. 

Read the full article below as featured in News.com.au.

Medibank customers have been dealt a massive new blow after the company today confirmed that all customer personal data was exposed to cyber criminals along with “significant amounts” of health claims.

The hacking scandal now threatens to eclipse the recent Optus breach, with millions of customers potentially affected.

In the company’s cybercrime, business and FY23 outlook update announced this morning, Medibank revealed that since yesterday, it had discovered that the criminal behind the hack had access to “all ahm customers’ personal data and significant amounts of health claims data, all international student customers’ personal data and significant amounts of health claims data, and all Medibank customers’ personal data and significant amounts of health claims data”.

“As previously advised, we have evidence that the criminal has removed some of our customers’ personal and health claims data and it is now likely that the criminal has stolen further personal and health claims data,” the announcement states.

“As a result, we expect that the number of affected customers could grow substantially.”

Medibank has announced a support package for affected customers which includes a hardship package to provide financial support for customers who are in a uniquely vulnerable position as a result of the crime, access to Medibank’s mental health and wellbeing support line for all customers, access to specialist identity protection advice and resources, free identity monitoring services for customers who have had their primary ID compromised and reimbursement of fees for reissue of identity documents that have been fully compromised in this crime.

There are fears the breach could be ‘worse than Optus’. Picture: iStockMedibank confirmed that normal business operations were being maintained, and that it was to working with the AFP, specialised cyber security firms, the Australian Cyber Security Centre (ACSC) and government stakeholders.

It stressed that its “priority is to continue working to understand the specific data that has been taken for each of our customers so that we can contact them directly to let them know”.

The company added that the cybercrime event “continues to evolve and at this stage, we are unable to predict with any certainty the impact of any future events on Medibank including the quantum of any potential customer and other remediation, regulatory or litigation related costs”.

Medibank CEO David Koczkar confirmed the investigation “has now established that this criminal has accessed all our private health insurance customers personal data and significant amounts of their health claims data”.

“The investigation into this cybercrime event is continuing, with particular focus on what data was removed by the criminal,” he said.

“As we’ve continued to say we believe that the scale of stolen customer data will be greater and we expect that the number of affected customers could grow substantially.

“I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community.”

Shock over Medibank’s bombshell admission

Meanwhile, attention is turning to one shock admission buried within Medibank’s announcement – the fact it did not have cyber insurance.

“Based on our current actions in response to the cybercrime event, noting that Medibank does not have cyber insurance, we currently estimate $25 million-$35 million pre-tax non-recurring costs will impact earnings in 1H23. These non-recurring costs do not include further potential customer and other remediation, regulatory or litigation related costs,” the statement revealed.

Australian cybersecurity expert Ajay Unni, the CEO of cyber security services company StickmanCyber, told news.com.au he was shocked by the revelation, and said it indicated the company had likely been blindsided by the hack.