‘Deliberate, malicious’: Medibank praises government for pursuing Russian hacker.
The Albanese government has sanctioned Russia’s Aleksandr Ermakov over Medibank’s cyber attack, but security experts say companies need to do more to protect data.
Medibank has thanked the Albanese government for pursuing the Russian hacker behind Australia’s worst cyber attack, although IT security experts warn it is unlikely to deter further data breaches.
The government named Russian man Aleksandr Ermakov as the perpetrator of the October 2022 Medibank data breach, imposing new sanctions on the hacker over the Medibank attack.
The announcement marks the government’s first use of Australia’s autonomous cyber sanctions framework, making it a criminal offence punishable by up to 10 years’ jail to transact with Ermakov, including through cryptocurrency or ransomware payments.
Medibank said cybercrime was a “deliberate and malicious act and every effort should be made to deter criminals for undertaking these crimes”.
The records of 9.7 million Australians were stolen in the Medibank attack, including names, dates of birth, Medicare numbers, and sensitive medical information, with many of the records published on the dark web.
“We appreciate the work of the Australian Federal Police, the Australian Signals Directorate, the Australian Cyber Security Centre, the Department of Home Affairs and the Department of Foreign Affairs and Trade in identifying this individual and the Australian Government for implementing sanctions against them,” the health insurer said.
“Since the cybercrime event we have supported our customers through our Cyber Response Support Program which includes mental health and wellbeing support, identity protection and financial hardship measures. We have also worked hard to re-establish the trust of our customers and other stakeholders.
“We know we can still do more as we continue to apply the lessons we have learnt. Work continues on uplifting and embedding the technology, processes and security culture within Medibank.”
But Nigel Phair, from Monash University’s Department of Software Systems & Cybersecurity said while the sanctions were a “step in the right direction” they would do little to stop further attacks.
“I congratulate the Australian government for undertaking such a complex investigation. Attribution of cyber criminals is one of the hardest things to do,” Professor Phair said.
“This is unlikely to dissuade other internationally based cyber criminals from targeting Australian organisations or individuals, but is a step in the right direction.
“Australian organisations need to continue to protect their information holdings, the systems where these reside and the people who access it. This includes undertaking fundamental risk management and introducing a competent control framework.”
Satnam Narang, enior staff research engineer at cyber security software company Tenable, says it’s important that the goverment also sanctioned the online crime group behind the hack.
“The individual responsible for this attack was likely an affiliate of a ransomware group. It’s important to recognise that affiliates play a major role in conducting ransomware attacks, as they are incentivised by the payout structure offered by ransomware groups,” Mr Narang said.
“The ransomware ecosystem is vast, as groups come and go and affiliates serve as free agents that can easily pivot between groups regardless of law enforcement action. Deterrence requires a multilayered approach and the targeting of individual affiliates is an important step, but it’s equally important to ensure that the ransomware group behind the attack is identified and also sanctioned accordingly.”
Medibank is facing a $150m damage bill from the cyber attack’s fallout, including potential class action settlements, according to analysts. Medibank chief executive David Kozckar has apologised repeatedly for the attack and has been co-operating with cyber security and law enforcement agencies.
After Medibank refused to pay a $15m ransom, the cyber criminals drip-fed the release of customer health records throughout November 2022 to cause the health insurer “maximum harm” in a series of folders with labels relating to pregnancy terminations, drug and alcohol abuse and various mental health conditions.
Medicare card numbers of at least 2.8 million Medibank customers were also released, and health claims data in respect to at least 480,000 customers, passport numbers and country of issue, verbal identification passwords, employers, employee ID numbers and visa details were among an unknown number of other customer information that was compromised.
Slater & Gordon launched a class action last year on behalf of the 9.7 million customers whose health records, claims data and other personal information were published on the dark web.
The class action also alleges that Medibank breached its contractual obligations to customers, to whom it assured it had “adequate and appropriate security controls in place” to protect their information.
The action’s lead applicant said in the weeks following the heist, they became the target of a sophisticated scam.
“They knew my name and number, so that was pretty intimidating,” the applicant said.
“I feel really exposed and unsettled knowing some personal information of mine is out there, and there’s nothing I can do about it. Someone could open an account or take out a line of credit in my name.”
The applicant also criticised communication they received from the health insurer, saying it was difficult to understand what personal information had been stolen.
“I needed to take steps on my own to try and find that out, and then take further steps to try and keep myself safe.”
Another customer – who also became a scam target – said Medibank refused to reimburse them travel costs after they were forced to change their passport in Canberra.
“I am from Peru and came to Australia as an international student. I trusted Medibank to protect my information and finding out about the breach has caused me significant distress,” the customer said.
“After the data breach, I found out that my passport and visa details were compromised. The only way I can change my passport is in person at the Peruvian Embassy in Canberra. I live in Victoria, so this would be a significant expense. I contacted Medibank, but they refused to pay for my travel costs.
“I received confusing and conflicting notification letters. One said my passport details had not been compromised, and another confirmed they had been. After the data breach, I noticed a scammer tried to access my AfterPay account. This has caused me a lot of stress and worry for my future.”
How to get a better deal at Telstra
Sick of paying through the roof for mobile plans at Telstra? Chief executive Vicki Brady says you can get a better deal. Here are the options.
WiseTech shares halted pending White review
WiseTech shares have plunged into a trading halt ahead of an update on a review involving its founder and former CEO Richard White after new complaints surfaced about his behaviour.