Confidentiality concerns surrounding high-Profile cyberattack
In the wake of October 2022’s cyberattack on Medibank, which exposed private information of approximately 10 million customers on the dark web, the company has chosen not to disclose the findings of an external review due to security concerns.
A Medibank spokesperson explained that the review would not be made public due to the confidential and sensitive nature of the cybersecurity measures discussed. The company believes that revealing the findings could potentially pose security risks to not only Medibank but other Australian businesses as well.
The Medibank breach outcome
The hackers managed to acquire names, phone numbers, Medicare numbers, and sensitive health information of about 10 million Medibank customers during the cyberattack.
What caused the breach?
The Medibank data breach occurred due to the theft of internal credentials, presumably belonging to an individual with privileged system access. It is suspected that these credentials were obtained through phishing, which involves sending deceptive emails with malicious links to credential-stealing websites.
In this case, the hackers gained immediate access to privileged account details, allowing them to bypass the time-consuming process of searching for higher-level credentials within the network, known as ‘lateral movement.’ As a result, the cyberattack pathway was significantly shortened, enabling the data breach to be carried out much more swiftly.
Navigating the cybersecurity landscape: lessons from a major Australian data breach
As millions feel the personal impact of the breach, customers and shareholders have resorted to legal actions seeking justice. The aftermath sees separate class actions initiated by both groups against Medibank.
This event emphasises the need for organisations to proactively defend their data and systems, as well as the value of cultivating a cybersecurity-aware culture to stay ahead of threats. Ultimately, this breach serves as a lesson and a driving force for change, prompting businesses throughout Australia to prioritise resilient cybersecurity.
