Medibank v the hackers: how the health insurer fell to a mass data theft

Just after 1pm on 12 October, Medibank received a call from the Australian Signals Directorate. There had been chatter online that the Australian health insurance giant was about to become the victim of a ransomware attack, the spy agency warned.

Medibank had already determined there had been unauthorised access to its network and had shut off two backdoors that hackers had been using to get in and out of its systems.

There was no evidence that sensitive data had been accessed, the company said at the time. It believed the ransomware attack had been foiled.

But on 19 October, Medibank announced it had begun receiving messages from a hacker group about customer data removed from its systems. For the second time that month, it went into a trading halt.

Those communications continued from 18 to 24 Octoberas the company tried to figure out the nature of the data taken.

By 25 October, the hackers were getting impatient.

On 27 October, the hackers promised that once payment had been made they would explain to the company how the hack occurred and what it could do to prevent it happening again.