Criminals behind the Medibank cyberattack gained access to the health insurance company’s network by stealing high-level credentials, its chairman said today. Medibank is otherwise staying tight-lipped about the attack and its cybersecurity set-up, with Deloitte having been called in to investigate the incident, which resulted in data on 9.7 million past and present customers and employees stolen.
Medibank has so far refused to meet the ransom demands of the cybercriminals behind the breach, and as a result data from the attack has started to leak on the dark web.
Medibank hacked using high-level credentials
During the company’s annual general meeting, held earlier today, Medibank chairman Mike Wilkins announced that cybercriminals infiltrated its systems using “high-level credentials”, which had the level of clearance needed to access a large amount of data.
Wilkins also explained that the company had implemented multi-factor authentication (MFA) at the time of the attack, but did not offer any further detail about how the breach happened.
There were calls from shareholders for an explanation as to how the company was hacked and what its cybersecurity posture was at the point of the attack. Wilkins declined to comment on specifics, declaring instead that the company has embarked on an external investigation with consultants from Deloitte, deferring questions until after the investigation is complete. This is expected to take several months.
The value of Medibank’s shares has dropped by 18% in the past month as the magnitude of the breach became clear. It is thought Medibank could face class-action lawsuits from affected customers, which may end up costing the company millions of dollars.
How Medibank is responding to the cyberattack
Mitigatory efforts to comfort the victims of the attack are now underway. CEO David Koczkar said that, from Wednesday, the company would start contacting the 480,000 victims whose healthcare records had been leaked. These include victims of domestic violence.
Currently, there are no cybersecurity or IT experts at board level in Medibank, continued Wilkins. He and Koczkar were both adamant the company would continue to resist any ransom demands. “From the outset, Medibank has been committed to doing the right thing by our customers, our people and the community in relation to this crime,” Wilkins said. “This includes our decision not to pay any ransom demand for this data theft.”
Koczkar also used the opportunity to once again implore the public not to download any of the customer information available on the dark web. “We share the prime minister’s and the police’s call to all media and social media platforms to protect the community by not posting or publishing this information,” he said. “While we understand the public interest, reporting details of this crime only feeds the criminal’s need for notoriety.”
Some shareholders, however, were reportedly unimpressed, with one who spoke to the Brisbane Times describing the board’s response as “very poor” and saying that the company’s attitude to the incident had been “unsatisfactory”, while another said the company had been “asleep at the wheel” at the time of the breach.