Nino Bucci reports:
Private health insurer Medibank has entered a trading halt after telling customers it had received messages from a group claiming to have accessed the data of its customers in a cyber-attack.
In a statement to the Australian stock exchange on Wednesday, the company said it had received messages from a group that wished to negotiate regarding the alleged removal of customer data.
Read more at The Guardian.
In related news, The Sydney Morning Herald quoted a passage from what is described as the ransom note, although the group sending the note was not named:
“We offer to start negotiations in another case we will start realizing our ideas like 1. Selling your Database to third parties 2. But before this we will take 1k most media persons from your database (criteria is: most followers, politicians, actors, bloggers, LGBT activists, drug addictive people, etc) Also we’ve found people with very interesting diagnoses. And we’ll email them their information.
Although Medibank is investigating the claims, there’s nothing in their latest update that says that the health insurer would pay or even negotiate with the threat actors if the claims of acquiring personal and sensitive information are confirmed. Some others appear to be interpreting their statement as indicating that they are negotiating (see, for example, IT Pro’s headline “Medibank begins negotiations with hackers who claim to have stolen data in last week’s cyber attack”). DataBreaches has sent an inquiry to Medibank’s media communications team to request clarification, but no reply was immediately received. This post will be updated when a response is received, or Medibank issues further clarification.
Medibank’s update states that the attack did not involve locking Medibank’s files, so the most compelling motivation for Medibank to pay would be to protect sensitive information on plan members.
Update:
In a statement sent to DataBreaches, Medibank provided details about communications from the threat actors, stating that they have been contacted by a criminal claiming to have stolen 200GB of data.
- The criminal has provided a sample of records for 100 policies which we believe has come from our ahm and international student systems.
- That data includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data.
- This claims data includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures.
- The criminal claims to have stolen other information, including data related to credit card security, which has not yet been verified by our investigations.
In terms of what Medibank is currently doing, they write:
Medibank teams continue to work around the clock to understand what additional customer data has been affected, and how this will impact them.
This morning we will commence making direct contact with the affected customers to inform them of this latest development, and to provide support and guidance on what to do next.
We expect the number of affected customers to grow as the incident continues.
We will continue to contact affected customers.
Medibank urges our customers to remain vigilant, and encourages them to seek independent advice from trusted sources, including the Australian Cyber Security Centre at cyber.gov.au
If they expect the number of affected customers to grow, it does not sound like they expect to reach a deal with the criminal, but DataBreaches notes that they did not directly answer the question DataBreaches had put to them about whether there were any negotiations.
For customer support, they offer the following:
To reduce wait times for our customers, we have redeployed our people to support new cyber response hotlines in our call centres.
Medibank and ahm customers can contact us by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or visit the information page on the website for any updates.
Our customers can also speak to Medibank’s experienced and qualified mental health professionals 24/7 over the phone to discuss any mental health questions or issues.
Medibank is in discussions with government stakeholders about what else we can do to assist our customers in safeguarding their identities and health information, and we will be in touch with customers about those steps directly.