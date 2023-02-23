David Koczkar (Medibank) Credit: Medibank

Credentials stolen from an IT service provider were used to hack into Medibank’s systems, the insurance provider has revealed.

In its half-year 2023 update, Medibank said cyber criminals, suspected to be from the Russian ransomware group REvil, accessed its systems with a stolen Medibank username and password used by an unnamed third-party IT service provider.

The stolen login details were then used to access Medibank’s network through a misconfigured firewall which did not require an additional digital security certificate, according to the six-month report.

Following the initial access, the hackers were able to obtain further usernames and passwords to gain access to a number of Medibank’s systems and their access was not contained.

It wasn’t until 24 hours later that the criminal’s attack path was closed following a triage of security alerts on 11 October.

Although there was no further activity by the criminal since 12 October 2022, the infiltration led to 9.7 million current and former Medibank customers' sensitive information being breached.

In its report for the period ending 31 December 2022, Medibank revealed that the cyber attack cost it $26 million, with the insurer earlier revealing it had no cyber insurance provision in place.

The insurer notably decided not to repay the ransom issued for the data recovery.

“We recognise the significant impact the cyber crime event has had on our customers,” said Medibank CEO David Koczkar.

“There is more work to do and the lessons we have learnt from the cyber crime will continue to shape our response and we will emerge stronger.

“We are a resilient business with great people, a unique offering in health, and a track record of responding to whatever challenge is in front of us. Whether it be COVID, inflation, cost-of-living pressures or the cyber crime event, our strategy has and will continue to put our customers and their needs at the heart of our business.

“While we did see some impacts on resident policyholder growth in the second quarter, there are positive signs of recovery. The performance in Medibank Health was steady despite the external environment.”

A month after the attack, the Australian Prudential Regulation Authority (APRA) flouted tighter cyber security controls for regulated industries.

The regulatory authority has since intensified its supervision of Medibank. It is also conducting a review, overseen by Deloitte, which is examining the incident itself, control effectiveness and the response of Medibank.