cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Company credential theft caused Medibank hack, investigation suggests

The investigation into the Medibank hack has found that the credentials of somebody who had high-level access within the private health insurer could have been the cause for the hack.

user iconReporter
Tue, 25 Oct 2022
Company credential theft caused Medibank hack, investigation suggests
expand image

Over the past two weeks, Medibank has been analysing how the hacking occurred in tandem with the Australian Federal Police (AFP) and the Australian Signals Directorate who are also investigating the security incident.

On 13 October, the private health insurer had reported a “cyber incident”, and that it had taken two systems offline. The company further revealed that it had been contacted by hackers, who claimed over 200GB of customer data had allegedly been stolen from the Medibank systems.

Aiming to initiate a negotiation, the hacker released a sample of 100 records from the private health insurer’s dataset to prove its authenticity, including names, addresses, dates of birth, Medicare numbers, phone numbers, medical claims data along with information about diagnosis, procedures and location of medical services.


It is believed that the entry point that caused the cyber attack on the private health insurer was when a person with high-level access within Medibank’s systems had their credentials stolen by a hacker. The information was then sold on a Russian-language cyber crime forum, according to a report from The Guardian that attributed the information to a source who was not authorised to speak publicly.

Reportedly, another hacker or group of hackers infiltrated Medibanks network and established two backdoors after the credentials were bought, which included one for redundancy in case it was detected.

A view forming within Medibank is based on the attacker deploying a bespoke tool to withdraw customer information from Medibank’s customer database, transferring the data to a zip file the attackers could then retrieve out of the company’s network after conducting an examination of Medibank’s network and internal applications, not just customer data.

According to Fergus Hanson, the director of the Australian Strategic Policy Institute’s International Cyber Policy Centre, “This could have been a preventable attack”.

Essentially, high-level credentials were stolen, or identified, and they were then sold, and somebody bought it.

That’s how these hackers could basically write some software to script out the data.

Is every organisation gripped up to deal with this? Well, absolutely not, Hanson said.

Under new legislation to be introduced to parliament, the Albanese government announced companies that fail to adequately protect people’s data could face fines of $50 million or more. It is unclear whether multi-factor authentication was compromised or bypassed.

In the past month, Medibank has become one of several high-profile Australian companies that have been hit by a security breach after the Optus data breach, which exposed up to 10 million customers, followed by breaches at Woolworths and Vinomofo.

[Related: Hundreds of EnergyAustralia customers at risk following security breach]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.