Ransomware
OAIC / UpGuard / TechCrunch / Cyber.gov.au
Primary Source βIncident Details
Russian cybercriminal (Aleksandr Ermakov, sanctioned by Australia Jan 2024) accessed Medibank’s network Aug 25 - Oct 13 2022 via stolen privileged VPN credentials without MFA. Exfiltrated 520GB including PHI of 9.7M past and present customers. Data included medical histories, Medicare numbers, passport numbers. $10M ransom demanded; Medibank refused to pay. Hackers published sensitive health data on dark web (mental health, drug treatment records). Largest breach in Australian history at time. Ermakov also sanctioned by UK and US.
Technical Details
- Initial Attack Vector
- CWE-308: Use of Single-Factor Authentication (stolen VPN credentials; VPN lacked MFA, only requiring device certificate or username/password)
- Vendor / Product
- Medibank Private health insurance platform
- Malware Family
- BlogXX / REvil variant
Timeline
- 2022-08-25 Breach occurred
- 2022-10-13 Publicly disclosed
- 2022-10-25 Customers notified