Cyber Incident Victim: Medibank
Date:
Oct 2022
Location:
Australia
Summary
Medibank, a major Australian health insurer, experienced a ransomware attack following the detection of unusual network activity, prompting immediate containment measures including the temporary shutdown of customer-facing systems to mitigate potential data loss. The company confirmed no systems were encrypted and initially found no evidence of customer data compromise, though it notified millions of customers via email and SMS about service disruptions and implemented enhanced security protocols. Collaborating with external cybersecurity experts and government agencies, Medibank restored normal operations while establishing a support program for affected individuals, offering resources to address identity theft risks, scams, and mental health impacts stemming from the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 12, 2022, Medibank Private Limited, one of Australia's largest private health insurers covering 3.7 million people, detected unusual activity on its network. The company responded immediately by containing the incident, engaging specialized cybersecurity firms, and isolating customer-facing systems to prevent potential data loss or system damage. Specific systems taken offline included the ahm health insurance and international student policy management platforms, causing operational disruptions that prevented customer service representatives from accessing policy information during the outage. Medibank CEO David Koczkar issued a public apology for the service interruptions while emphasizing ongoing investigations and the priority of protecting customer and stakeholder data. Customers retained limited access to support via telephone channels, though the company established an online information page to provide incident updates. Initial assessments found no evidence of unauthorized access to sensitive customer data, with Medibank maintaining partial service continuity for core health services despite the disruptions.
By October 17, Medibank confirmed the incident as a ransomware attack, though forensic analysis indicated no system encryption occurred and reiterated no substantiated evidence of customer data exfiltration. The company had sent approximately 2.8 million notifications via email and SMS to inform customers about the incident and service restoration progress. As a precautionary measure, Medibank implemented additional network security enhancements and continued collaborating with external cybersecurity experts and the Australian Government's lead cyber agency throughout the investigation. The insurer activated a dedicated Cyber Response Support Program offering identity theft guidance, scam management resources, multilingual assistance, and mental health support for affected customers. Operational normalization progressed with most systems restored, though Medibank maintained heightened security protocols and ongoing monitoring while pledging transparent updates as the forensic review continued.