In private briefings to other companies, Medibank has revealed the source of the catastrophic hack that allowed Russian-backed cybercriminals to steal the intimate medical records of about 480,000 customers.
The criminal syndicate found the login credentials for a single support desk worker at the health insurer that did not have two-factor authentication – a basic security standard that sends a message to a mobile phone or email account for verification once a username and password have been entered – and gained access to virtually the entire contents of the company’s business.
Once inside, the hackers got even luckier. They were able to lurk for weeks without being noticed, ripping out sensitive data by the gigabyte as they went. By October 12, officers at the Australian Signals Directorate (ASD) decided to act on some suspicious activity that was playing out on the Medibank network and phoned the company about 1.20pm.
As it turns out, Medibank staff were watching the same “unusual cyberactivity” and wondering what to make of it. The next day, chief executive David Koczkar released a statement to the market acknowledging the intrusion, but believed there was no evidence at that time to suspect critical information had been stolen. That changed six days later when the hackers got in touch with some sample records. The news seemed to get worse and worse over the next few weeks as the size and scale of the problem grew.
But the hackers, who demanded a $15 million ransom that Medibank has refused to pay, may not have counted on their swindle being the one that fundamentally rewrote the rules of engagement for Australian authorities.
Late on Friday, November 11, Australian Federal Police Commissioner Reece Kershaw made a brief statement to media.
“We believe that those responsible for the breach are in Russia,” he said. “Our intelligence points to a group of loosely affiliated cybercriminals, who are likely responsible for past significant breaches in countries across the world.