medibank breach

‘We know who you are’ • ZebethMedia

By zebethcontrolPosted on November 11, 2022Posted in Australia, data breach, hackers, medibank breach, ransomware, SecurityNo Comments

The Australian Federal Police claims to have identified the cybercriminals behind the Medibank ransomware attack, which compromised the personal data of 9.7 million customers. AFP Commissioner Reece Kershaw said on Friday that the agency knows the identity of the individuals responsible for the attack on Australia’s largest private health insurer. He declined to name the individuals but said the AFP believes that those responsible for the breach are in Russia, though some affiliates may be in other countries. In a tweet, Australian Prime Minister Anthony Albanese, whose own Medibank data was stolen, said the AFP knows where the hackers are and are working to bring them to justice. The Australian Federal Police have identified the hackers, revealing they’re located in Russia. We know where they are. And we are working hard to bring them to justice. — Anthony Albanese (@AlboMP) November 11, 2022 Kershaw said that police intelligence points to a “group of loosely affiliated cyber criminals” who are likely responsible for previous significant data breaches around the world, but did not name victims. “These cyber criminals are operating like a business with affiliates and associates who are supporting the business,” he added, pointing to ransomware as a service operation such as LockBit. On Thursday, a dual Russian-Canadian national linked to the LockBit operation was arrested in Canada. The hackers behind the Medibank breach have previously been linked to the high-profile Russian cybercrime gang REvil, also known as Sodinokibi. REvil’s once-defunct dark web leak site now redirects traffic to a new site that hosts the stolen Medibank data, and the hackers behind the breach have also been observed using a variant of REvil’s file-encrypting malware. The Russian Embassy in Canberra was quick to rebuff allegations that the Medibank hackers are based in Russia. “For some reason, this announcement was made before the AFP even contacted the Russian side through the existing professional channels of communication,” the embassy said in a statement on Friday. “We encourage the AFP to duly get in touch with the respective Russian law enforcement agencies.” Russia’s federal security services FSB (formerly the KGB) said in January that REvil “ceased to exist” after several arrests were made at the request of the U.S. government. In March, Ukrainian national Yaroslav Vasinskyi, an alleged key member of the REvil group linked to an attack on U.S. software vendor Kaseya, was extradited from Poland to the U.S. to face charges. “Even after a series of law enforcement operations against REvil, the gang and its affiliates still seem to keep returning, based on the analysis of the latest REvil ransomware sample,” Roman Rezvukhin, head of malware analysis and threat hunting team at Group-IB, tells ZebethMedia. Kershaw said on Friday that the AFP, along with international partners such as Interpol, will “be holding talks with Russian law enforcement about these individuals.” “It is important to note that Russia benefits from the intelligence-sharing and data shared through Interpol, and with that comes responsibilities and accountability,” Kershaw said. “To the criminals: We know who you are, and moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system.” While the AFP has successfully extradited people from Poland, Serbia, and the United Arab Emirates in recent years to face criminal charges in Australia, extraditing Russian hackers is likely to be challenging. In 2018, Russian President Vladimir Putin declared that “Russia does not extradite its citizens to anyone.” Despite action by the AFP, the Medibank breach continues to worsen following its decision to refuse to pay the cybercriminals’ ransom demand. On Thursday, the attackers’ dark web blog posted more stolen data, including sensitive files related to abortions and alcohol-related illnesses. The cybercriminals claimed that they initially sought $10 million in ransom from Medibank before reducing the sum to $9.7 million, or $1 per affected customer, the blog said. “Unfortunately, we expect the criminal to continue to release stolen customer data each day,” Medibank CEO David Koczkar said on Friday. “These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care.”

Hackers start leaking health data after ransomware attack • ZebethMedia

By zebethcontrolPosted on November 9, 2022Posted in Australia, cybersecurity, health insurance, medibank breach, ransomware, SecurityNo Comments

Medibank has urged its customers to be on high alert after cybercriminals began leaking sensitive medical records stolen from the Australian health insurance giant. A ransomware group with ties to the notorious Russian-speaking REvil gang began publishing the stolen records early Wednesday, including customers’ names, birth dates, passport numbers, and information on medical claims. This comes after Medibank said it would not pay the ransom demand, saying, “We believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.” The cybercriminals selectively separated the first sample of Australian breach victims into “naughty” and “good” lists, with the former including numerical diagnosis codes that appeared to link victims to drug addiction, alcohol abuse, and HIV, according to Agence France-Presse. For example, one record carries an entry that reads “F122,” which corresponds with “cannabis dependence” under the International Classification of Diseases published by the World Health Organization. It’s also believed the leaked data includes the names of high-profile Medibank customers, which likely includes senior Australian government lawmakers, like prime minister Anthony Albanese and cybersecurity minister Clare O’Neil. The portion of data leaked so far, seen by ZebethMedia, also appears to include correspondence of negotiations between the cybercriminals and Medibank CEO David Koczkar. Screenshots of WhatsApp messages suggest that the ransomware group also plans to leak “keys for decrypting credit cards” despite Medibank’s assertion that no banking or credit card details were accessed. “Based on our investigation to date into this cybercrime we currently believe the criminal did not access credit card and banking details,” Medibank spokesperson Liz Green told ZebethMedia in an emailed statement on Wednesday, who deferred to its blog post. The cybercriminal gang behind the Medicare ransomware attack, whose identities are not known but has relied on a variant of REvil’s file-encrypting malware, has so far leaked the personal details of around 200 Medibank customers, a fraction of the data that the group claims to have stolen. Medibank confirmed on Tuesday that the cybercriminals had accessed roughly 9.7 million customers’ personal details and health claims data for almost 500,000 customers. What should victims do? In light of the data leak, which exposed highly confidential information that could be abused for financial fraud, Medibank and the Australian Federal Police are urging customers to be on high alert for phishing scams and unexpected activity across online accounts. Medibank is also advising users to ensure they are not re-using passwords and have multi-factor authentication enabled on any online accounts where the option is available. Medibank also launched a “cyber response support package” for affected customers, Medibank’s Green told ZebethMedia. This includes hardship support, identity protection advice and resources, and reimbursement of government ID replacement fees. The health insurance giant is also providing a wellbeing line, a mental health outreach service, and personal duress alarms. Australia’s federal police are investigating the breach in collaboration with agencies from around the Commonwealth, as well as from the other members of the “Five Eyes” group of intelligence-sharing governments, including the U.K., U.S., Canada, and New Zealand. Operation Guardian, the Australian government’s response to the recent wave of cyberattacks that began with the data breach at telco giant Optus, will be extended to Medibank to protect its customers from “financial fraud and identity theft.” “Operation Guardian will be actively monitoring the clear, dark and deep web for the sale and distribution of Medibank Private and Optus data,” said AFP Assistant Commissioner Cyber Command Justine Gough. “Law enforcement will take swift action against anyone attempting to benefit, exploit or commit criminal offenses using stolen Medibank Private data.” What’s next? In its latest update, Medibank is bracing for the situation to worsen, saying that it “expects the criminal to continue to release files on the dark web.” On its dark web leak site, the cybercriminals said they planned to “continue posting data partially, including confluence, source codes, list of stuff and some files obtained from medi filesystem from different hosts.” Medibank says it will continue to contact all affected customers with specific advice and details of what data the attackers have accessed. However, customers at a heightened risk of being targeted by fraudulent emails should ensure that emails are coming from Medibank. Medibank said it would not ask for personal details over email. If in doubt, don’t click any links. It’s not yet known whether Medibank customers will receive compensation following the breach or whether Medibank will face action for failing to protect users’ confidential medical data. The breach comes just weeks after Australia confirmed an incoming legislative change to the country’s privacy laws, following a long process of consultation on reforms. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches and greater powers for the Australian information commissioner. Two law firms also said on Tuesday that they are investigating whether Medibank had breached its obligations to customers under the country’s Privacy Act. The firms, Bannister Law and Centennial Lawyers, will investigate whether Medibank breached their privacy policy and the terms of their contract with customers and will also assess whether damages should be paid as a result of the breach.

Ransomware gang threatens to publish thousands of Australians’ health data • ZebethMedia

By zebethcontrolPosted on November 8, 2022Posted in data breach, medibank breach, ransomware, SecurityNo Comments

A ransomware group with suspected links to the notorious Russia-speaking REvil gang has threatened to release the personal information of millions of Medibank customers after the Australian private health insurance giant pledged it would not pay the cybercriminals’ ransom demand. Medibank, Australia’s largest health insurance provider, first disclosed a “cyber incident” on October 13, saying at the time that it detected unusual activity on its network and took immediate steps to contain the incident. Days later, the company said that customer data might have been exfiltrated. In an update posted this week, the Melbourne-based Medibank admitted that the attackers accessed roughly 9.7 million customers’ personal information, including names, birth dates, email addresses, and passport numbers. The cybercriminals also accessed health claims data for almost 500,000 customers, including service provider names and locations, where customers received certain medical services, and codes associated with diagnosis and procedures administered. For 5,200 users of Medibank’s My Home Hospital app, the cybercriminals accessed some personal and health claims data and, for some, next of kin contact details. Medibank CEO David Koczkar said that while the health insurance giant believes that the attackers likely exfiltrated all of the data they were able to access, the organization would not pay the ransom demand. “Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Koczkar said. The chief executive added that paying could even encourage the hackers to adopt a triple-extortion tactic by attempting to extort customers directly. Following Koczkar’s announcement, a ransomware gang believed to be a rebrand of the defunct REvil group threatened to leak the stolen Medibank data. The new dark web leak site, seen by ZebethMedia, listed Medibank as one of its victims and said it planned to release the exfiltrated data publicly. The gang did not say how much data it exfiltrated from Medibank’s network, and did not share evidence of its claims. The links between the new leak site and REvil, which went dark after U.S. authorities pushed the operation offline in October after the gang targeted ransomware attacks against Colonial Pipeline, JBS Foods and U.S. technology firm Kaseya, remains unclear. Brett Callow, a ransomware expert and threat analyst at Emsisoft, said that the new operation uses a variant of REvil’s file-encrypting website and that REvil’s old website now redirects to the new leak site. Medibank described the gang’s threats as a “distressing development,” in a second update published on Tuesday, and urged customers to be vigilant with all online communications and transactions. “We unreservedly apologise to our customers. We take seriously our responsibility to safeguard our customers and support them,” said Koczkar. “The weaponization of their private information is malicious, and it is an attack on the most vulnerable members of our community.” Medibank added that it is working with the Australian Government, including the Australian Cyber Security Centre and the Australian Federal Police, in order to try and prevent the sharing and sale of customer data. News of the Medibank attack comes just weeks after Australia’s second largest telco Optus was breached. The Australian government confirmed an upcoming legislative change that would see companies that fail to adequately protect people’s data face fines of $50 million or more.

Australia to toughen privacy laws with huge hike in penalties for breaches • ZebethMedia

By zebethcontrolPosted on October 24, 2022Posted in Australia, data breaches, Government & Policy, medibank breach, Optus breach, Privacy, privacy lawsNo Comments

Australia has confirmed an incoming legislative change will significant strengthen its online privacy laws following a spate of data breaches in recent weeks — such as the Optus telco breach last month. “Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business,” said its attorney-general, Mark Dreyfus, in a statement at the weekend. “We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.” The changes will be made via an amendment to the country’s privacy laws, following a long process of consultation on reforms. Dreyfus said the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current AUS $2.22 million (~$1.4M) penalty to whichever is the greater of: AUS $50 million (~$32M); 3x the value of any benefit obtained through the misuse of information; or 30% of a company’s adjusted turnover in the relevant period These amounts are substantially higher than an earlier draft of the reform last year (when penalties of AUS $10M or 10% of turnover were being considered). Major breaches such as at Optus — and another that followed hard on its heels, at the health insurer Medibank Private — appear to have concentrated lawmakers’ minds. The change of government, earlier this year, also means there’s a new broom at work. Additional changes trailed by Dreyfus include greater powers for the Australian information commissioner and a beefed up Notifiable Data Breaches scheme to provide the privacy watchdog with a more comprehensive view of what’s been compromised in a breach, also so it can assess the risk of harm to individuals. The information commissioner and the Australian Communications and Media Authority will also be furnished with greater information sharing powers to enable more regulatory joint-working. Both agencies opened investigations of Optus following last month’s breach. The privacy legislation amendment bill is slated to be presented to Australia’s parliament this week, per Reuters. The Attorney-General’s Department is also undertaking a comprehensive review of the Privacy Act that’s due to be completed this year, with recommendations expected for further reform, it said. “I look forward to support from across the Parliament for this Bill, which is an essential part of the Government’s agenda to ensure Australia’s privacy framework is able to respond to new challenges in the digital era. The Albanese Government is committed to protecting Australians’ personal information and to further strengthening privacy laws,” added Dreyfus.