Australian health insurance giant Medibank has announced that all of its customers’ personal information was accessed by ransomware actors, a few days after playing down the impact of a recent breach.
The firm admitted in a new statement that the threat actors may have compromised personal data on all customers, including international students and policyholders with Medibank business ahm.
That could mean nearly four million Australians have been exposed to the risk of follow-on fraud and phishing attacks.
The data stolen may include names, addresses, date of birth, Medicare numbers, policy numbers, phone numbers, claims data and even passport numbers for some international students.
“The criminal also claimed to have stolen other information, including data related to credit card security,” the notice continued. “We are in the process of verifying this allegation. Our procedures restrict us from retaining full credit card numbers and we do not hold CVV numbers.”
The firm had originally assured customers that none of their personal data had been accessed during an extortion attack in which it stopped the perpetrators before they could deploy the ransomware payload.
However, the group subsequently got in touch to say that they had indeed exfiltrated as much as 200GB of data from the firm before it was discovered, providing a sample for Medibank to check.
The insurer still doesn’t know for sure how many customers are affected, as it continues its investigation.
“As previously advised, we have evidence that the criminal has removed some of this data and it is now likely that the criminal has stolen further personal and health claims data,” it said.
“As a result, we expect that the number of affected customers could grow substantially.”
Reports have claimed the breach could cost the firm tens of millions of dollars as it doesn’t have cyber-insurance.
The confusing public statements issued by the company will only add to customer anger and highlights the challenge of incident response.
Jordan Schroeder, managing CISO at Barrier Networks, argued that improving cyber-resilience must be a priority for firms, as once actors get inside networks it can be difficult to determine the blast radius of attacks.
“This latest update comes only a few days after the company had said no customer data was compromised, so it certainly raises some alarm bells about the handling of the incident and investigation into the breach,” he added.
“However, in fairness, Medibank is not alone. Breach investigations are a long process, and it can sometimes take months to fully understand the scale and impact of attacks.”