Medibank has provided additional details about a cyber incident that occurred last week, stating that it detected precursor activity consistent with a ransomware attack.
CEO David Koczkar stated that no customer data was taken and that the insurer had since brought its customer-facing systems back online. It had taken some systems offline immediately after monitoring systems detected "unusual activity."
“We have contained the ransomware threat but remain vigilant and will take the necessary steps in the future to protect our operations and customer data," Koczkar said.
According to a brief timeline, Medibank discovered "unusual activity" on its servers on Wednesday last week, prompting its cyber security team to launch an incident response with the assistance of partners.
“Later that evening, we identified the unusual activity was focused on the IT infrastructure we use to support our ahm and international student customer policy management systems.”
Medibank decided to temporarily block and isolate access to the two systems and halt trading while the activity was investigated, according to Koczkar. The customer-facing systems "were restored on new IT infrastructure," allowing business to resume as usual by last Friday.
He continued On Thursday, Medibank began communicating with its customers via emails and texts to keep them updated on the incident. In response to investor questions, Koczkar stated that Medibank is aware of how attackers gained access to its systems.
“We believe ... one [set] of our credentials was compromised, but we've got an ongoing investigation into exactly what happened," he said.
"We've taken all necessary steps to address this.
He stated that the company found no evidence of unauthorised access to customer data, "but that is subject to our ongoing forensic analysis." Added that, while Medibank is "very happy with how we sit in terms of our ability to respond to a cyber incident," the incident will result in "some learnings."
According to Koczkar, no significant costs are expected as a result of the incident. He thanked the Australian Cyber Security Centre (ACSC), regulators, and government agencies for "contributing to and supporting our response and working so effectively with us."
Further concluded, “We will also share technical information with our peers as part of our commitment to helping others understand this incident and allow them to bolster their own defences."
