Australian Insurer Medibank Says Incident Was Ransomware

Australian insurer Medibank says the cybersecurity incident on Wednesday that caused it to suspend stock trading and take public-facing systems offline was likely a ransomware attack.

See Also: Building a Secure IoT Deployment Using 5G Wireless WAN

The provider of private health insurance for nearly 4 million Australians now says normal operations have resumed and trading resumed Monday.

Unusual network activity was “consistent with the precursor to a ransomware event,” the company says, adding that “an abundance of caution” led it to isolate systems servicing its ahm health insurance subsidiary and its website for international students studying in Australia. CEO David Koczkar says no evidence has been uncovered that attackers exfiltrated customer data.

The company ended the day with shares down 3.4% even as Koczkar attempted to assure investors that no systems had been maliciously encrypted. Shortly after detecting the incident, the company asked the Australian Securities Exchange to suspend trading of its shares (see: Australian Insurer Back Online After Cyberattack).

Medibank says it has restored ahm health insurance and the systems for international students on new IT infrastructure and upgraded its cybersecurity.

“There is no indication that the incident was caused by a state-based threat actor,” the company also says. Most ransomware hackers, with the exception of North Korean threat actors, aren’t state-sponsored – although state-sponsored hackers can engage in ransomware as a financially motivated side project (see: US Indicts, Sanctions 3 Iranian Nationals for Ransomware).

The Medibank incident comes on the heels of an apparent spate of hacks affecting Australian companies, including a September data breach affecting approximately 10 million people at Optus, the country’s second-largest wireless carrier (see: Two Australian Regulators Investigating Optus Breach).

The cluster of known data breaches continues into this week as Woolworths’ e-commerce site MyDeal acknowledged that a hacker used a compromised user credential to gain access to its Customer Relationship management system. The majority of the stolen data consists only of email addresses, but for some customers, phone numbers, addresses and birthdates were also taken.

Someone using the name “dior” is purporting to sell the full data set for $600 on a hacker forum. Dior didn’t post a sample and received some skepticism on the forum. “Have you seen the nonsense for sale on ‘MYDEAL.’ It is the garbage discount stuff,” wrote someone with the handle MSHacker.