Medibank data breach deepens as staff information hack revealed

/in


The theft was part of the same hack that acquired data on all 9.7 million current and former customers, including sensitive health information on about 500,000 policyholders.

The email Medibank sent to employees on Monday evening said hackers had accessed data on about 900 current and former employees – including their names, email addresses, mobile phone numbers and work device information – and posted it on the dark web on November 9.

“Our security team have advised that the information above may be used for increased spam such as spear-phishing and social engineering,” Medibank said in the email.

Spear-phishing is targeted to a specific person or group of people purporting to be from a trusted sender. Social engineering is the art of manipulating people, so they provide confidential information such as passwords.

Loading

The Medibank cyberattack was triggered when hackers gained access to the company’s internal systems by stealing the login credentials of an employee or contractor.

“While security experts have told us that the security risk is low, the information could be used for increased spam such as spear-phishing,” a Medibank spokeswoman said.

“A hacker will not be able to use the information to access people’s phone data or remotely hack into their phone. We’ve also taken steps through our telecommunications provider to block porting of phone numbers for Medibank devices.”

Porting refers to transferring a mobile phone number to another telco provider.

The company told employees to be extra vigilant when using their mobile phones and follow extra precautions such as being alert for any phishing scams via phone or email, to verify any communications received to ensure they are legitimate, and to not open suspicious texts and emails.

It also asked employees to use “strong” passwords and activate multi-factor authentications on any online accounts “where available”.

Multi-factor authentication is a security measure that requires two or more proofs of identity to grant you access. Typically this involves sending a code to a separate device such as a mobile phone and would prevent hackers gaining access with just login credentials.

Loading

“Please note, IT…

Source…