Cyber Incident Victim: Medibank
Date:
May 2023
Location:
Australia
Summary
A healthcare provider experienced a breach of employee data, including names, work email addresses, and phone numbers, through a third-party building management vendor's compromised MOVEit file-transfer system. The company confirmed its internal systems and customer data remained unaffected, having applied recommended security patches following vendor notification. This incident, attributed to the Cl0p ransomware group, occurred amid broader global attacks exploiting the MOVEit vulnerability, prompting a U.S. bounty for information on the perpetrators. The breach follows an earlier unrelated cyberattack where hackers stole sensitive health claims and personal information of millions of customers, subsequently leaking abortion and substance abuse records after the firm refused ransom demands.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In late 2022, Medibank Private Ltd experienced a major cybersecurity breach affecting 9.7 million current and former customers. The attack was attributed to the pro-Russian REvil ransomware gang, which exfiltrated sensitive customer data including personal information and health claims. Approximately 500,000 customers had particularly sensitive health information stolen, encompassing details related to medical procedures such as abortions and records of drug and alcohol abuse. The attackers issued ransom demands, but Medibank, following advice from government authorities and security consultants, refused payment. In retaliation, the hackers released the stolen data in multiple tranches through public leaks. This data dump included highly confidential health records, causing significant public concern and reputational damage across Australia. The incident marked one of the largest and most intrusive health data breaches in the country's history, though Medibank's own systems were confirmed as the intrusion point in this attack.
A separate incident occurred in May 2023 when Medibank staff data was compromised through a third-party breach involving the MOVEit file-transfer software. Russian cybercrime group Cl0p exploited vulnerabilities in MOVEit, a tool used by Medibank's property and facility management provider, to steal employee names, work email addresses, and phone numbers. Medibank confirmed its internal systems remained unaffected and no customer data was exposed in this incident. Upon being notified of the MOVEit vulnerabilities by vendor Ipswitch, Medibank immediately applied all recommended security patches and collaborated with the vendor to investigate the breach. The Cl0p group's broader MOVEit campaign impacted hundreds of global organizations, including US federal agencies, Shell, and the BBC, prompting the US State Department to offer a $10 million reward for information linking Cl0p to the attacks. This breach followed a similar pattern to earlier 2023 incidents involving third-party data transfer tools like GoAnywhere, which affected companies including Rio Tinto and Crown Resorts. Medibank's 2023 breach was confined to staff information via the third-party provider, contrasting with the direct system compromise and catastrophic customer data exposure experienced in 2022.