The Medibank data breach has already impacted 9.7 million customers – and now, that staggering number has increased even further, after it emerged that staff details had also been compromised.
Last month, the private health insurance giant announced it had been hit by a “cyber incident”, along with ahm, which is owned by Medibank.
Around 5.1 million Medibank customers, 2.8 million ahm customers and 1.8 million international customers were affected after the credentials of a staff member with high-level access to Medibank systems were obtained and sold to hackers on a Russian cyber criminal forum.
The group has been releasing highly sensitive customer data on a dark web blog linked to the REVil Russian ransomware group since last week, including information about people’s mental health status, drug and alcohol use and previous pregnancy terminations which may include non-viable pregnancy such as foetal anomaly, ectopic pregnancy, molar pregnancy, miscarriages and readmission for complications such as infection.
But an email sent to Medibank employees seen by news.com.au has revealed that hundreds of current and former employees had also been impacted, along with millions of customers.
“Hi Everyone. We’re deeply sorry to inform you that some data relating to your work device for the time that you worked at Medibank has been stolen in the recent cybercrime event,” the troubling staff email reads.
Want to stream your news? Flash lets you stream 25+ news channels in 1 place. New to Flash? Try 1 month free. Offer available for a limited time only >
“We do not believe that the criminal had access to Success Factors or any payroll data however they did access an excel spreadsheet that included information relating to your device. On Wednesday, 9 November this information was posted by the criminal on the dark web.
“We recognise the distress that this may cause you and we apologise that this has happened.”
The email confirmed the file included information such as employees’ full names, mobile numbers and device information, and warned that data could be used for “increased spam such as spear fishing and social engineering”.
Spear phishing is targeted to a specific person or group of people purporting to be from a trusted sender, while social engineering is the art of manipulating people, so they provide confidential information such as passwords, the email explained.
The company urged staffers to be “extra vigilant” when using their mobile phones and to follow a range of extra precautions, including being alert for any phishing scams via phone or email, verifying any communications received to ensure they are legitimate, changing passwords regularly and avoiding opening links within texts or emails from unknown or suspicious numbers.
The email concluded by thanking workers for their “understanding” as the firm “continues to respond to this cybercrime”.
A Medibank spokesperson confirmed that hundreds of past and present staff members had also been caught up in the breach.
“The files released by the criminal includes an excel spreadsheet of around 900 current and former employees – including their name, email address, their mobile phone numbers and the device information including the asset number and phone name (serial number and IMEI number),” the spokesperson said in a statement provided to news.com.au.
“While security experts have told us that the security risk is low, the information could be used for increased spam such as spear fishing.
“A hacker will not be able to use the information to access people’s phone data or remotely hack into their phone. We’ve also taken steps through our telecommunications provider to block porting of phone numbers for Medibank devices.
“We have offered our employees and former employees the option to change their mobile phone number at no cost to them.
“We also have a dedicated on-call psychologist available.
“For employees who are customers they are able to access the same support as any other Medibank and ahm customer.”
Class action looms
The revelation comes after Bannister Law Class Actions and Centennial Lawyers joined forces to investigate the serious data breach for a potential class action against the health insurance giants.
Bannister Law principal Charles Bannister told news.com.au lawyers had already been “inundated” with potential claimants, and said countless customers had already been seriously affected by the hack.
“There is understandably distressed victims of domestic violence as to their address details being made known. We are seeing widespread issues,” he said.
“Some individuals are literally living in fear for their lives if their addresses are made public, others live in fear of public ridicule, the loss of their employment and relationship break ups if their sensitive medical information is made public.
“Others are at risk of being blackmailed if their HIV status or other health information is made public. Some of Medibank and ahm’s clients will be police or security officers who are at great personal risk if their personal details and the details of their close family members become public.”
Bannister Law Class Actions and Centennial Lawyers are now preparing legal proceedings to commence a class action, and expect to file proceedings shortly. The legal firms urge all affected current and previous Medibank and ahm customers, including international customers, to register here.
Leave a Reply