900 Medibank staff dragged into cyber hack

Whilst the numbers might be a mere drop in the ocean compared to the 9.7 million customers affected by a cyber security breach at Medibank (ASX: MPL), the health insurer has revealed the attack has now extended to hundreds of staff.

"The files released by the criminal include an Excel spreadsheet of around 900 current and former employees – including their name, email address, their mobile phone numbers and the device information including the asset number and phone name (serial number and IMEI number)," Medibank said in a statement, clarifying it has around 4,000 current employees. 

Security experts have informed the company the security risk of this data release is low, but the information could be used for increased spam such as spear phishing, whereby victims receive seemingly legitimate emails or other electronic communications that deceive them into clicking through to websites filled with malware.

"A hacker will not be able to use the information to access people’s phone data or remotely hack into their phone.  We’ve also taken steps through our telecommunications provider to block porting of phone numbers for Medibank devices," the insurer said.

"We have offered our employees and former employees the option to change their mobile phone number at no cost to them.

"We also have a dedicated on-call psychologist available."

Employees who are also customers are able to access the same support as any other Medibank and ahm customer.

The theft of customer data, which has been followed by staggered releases of data on the dark web, is of a similar scale to the Optus customer data hack that recently preceded it but is unprecedented in Australia given its inclusion of the highly personal health information of around 480,000 customers. 

Two class actions against Medibank are currently being explored by different law firms, the first by Bannister Law Class Actions and Centennial Lawyers, and the other by Maurice Blackburn.

Late last week, Australian Federal Police Commissioner Reece Kershaw described the attack as unacceptable and deserving of a response that matches the malicious and far-reaching consequences that the crime is causing.

"I know Australians are angry, distressed and seeking answers about the highly-sensitive and deeply personal information that is being released by criminals who breached Medibank Private’s data base," Kershaw said.

"This is a crime that has the potential to impact on millions of Australians and damage a significant Australian business.

"The AFP is undertaking covert measures and working around the clock with our domestic agencies and our international networks, including INTERPOL."

He said the agency believed those responsible for the breach were in Russia, with intelligence pointing to a group of loosely affiliated cyber criminals who have been behind past significant breaches in countries across the world.

The AFP Commissioner did not name the cyber group that is under the lens, although the hack is widely believed to be either from a group called REvil - whose members were reportedly arrested by Russian authorities around six weeks before the invasion of Ukraine - or an iteration or offshoot of that gang. 

"These cyber criminals are operating like a business with affiliates and associates, who are supporting the business," Commissioner Kershaw said.

"We believe we know which individuals are responsible but I will not be naming them. What I will say is that we will be holding talks with Russian law enforcement about these individuals."

The Commissioner also made an appeal to businesses to ensure their systems are protected.

"Cybercrime is the break and enter of the 21st Century and personal information is being used as currency," he said.

"Finally, I want to reiterate that Australian Government policy does not condone paying ransoms to cyber criminals.

"Any ransom payment, small or large, fuels the cybercrime business model, putting other Australians at risk."

Medibank's CEO David Koczkar has repeatedly stood by his stance not to cave into ransom demands.