The Medibank data breach has already affected 9.7 million customers, and now that staggering number has risen even further, after it was discovered that staff details were also compromised.
Last month, the private health insurance giant announced it had been hit by a “cyber incident”, along with ahm, owned by Medibank.
Around 5.1 million Medibank customers, 2.8 million ahm customers and 1.8 million international customers were affected after the credentials of a staff member with high-level access to Medibank systems were obtained and sold to hackers on a Russian cybercriminal forum.
The group has been publishing highly sensitive customer data since last week on a dark web blog linked to the REVil Russian ransomware group, including information about people’s mental health status, drug and alcohol use and previous pregnancy terminations that they can include non-viable pregnancies such as fetal anomaly, ectopic pregnancy, molar pregnancy, miscarriages and readmission for complications such as infection.
But an email sent to Medibank employees seen by news.com.au revealed hundreds of current and former employees were also affected, along with millions of customers.
“Hello everyone. We are very sorry to inform you that some data relating to your work device during your time working at Medibank has been stolen in the recent cybercrime event,” the worrying email from staff said.
“We do not believe the criminal had access to Success Factors or any payroll data, but he did access an Excel spreadsheet that included information related to his device. On Wednesday, November 9, this information was published by the criminal on the web dark
“We recognize the distress this may cause you and apologize that this has happened.”
The email confirmed that the file included information such as employees’ full names, mobile numbers and device information, and warned that the data could be used to “increase spam such as spearfishing and social engineering”.
Spear phishing targets a specific person or group of people pretending to be from a trusted sender, while social engineering is the art of manipulating people into providing sensitive information such as passwords, the email explained.
The company urged employees to be “more vigilant” when using their mobile phones and to take a number of additional precautions, including being alert to any phishing scams by phone or email, verifying communications received to ensure they are legitimate, changing passwords regularly and avoiding opening links within texts or emails from unknown or suspicious numbers.
The email concludes by thanking the workers for their “understanding” as the firm “continues to respond to this cybercrime.”
A Medibank spokesperson confirmed that hundreds of past and present staff were also caught up in the breach.
“The files released by the criminal include an Excel spreadsheet of nearly 900 current and former employees, including their name, email address, mobile phone numbers and device information, including asset number and phone name ( serial number and IMEI number)”. the spokesperson said in a statement provided to news.com.au.
“Although security experts have told us the security risk is low, the information could be used to increase spam, such as spearfishing.
“A hacker will not be able to use the information to access people’s phone data or remotely hack into their phone. We have also taken steps through our telecoms provider to block the portability of phone numbers on Medibank devices.
“We offer our employees and former employees the option to change their mobile phone number at no cost to them.
“We also have a dedicated on-call psychologist.
“Employees who are customers can access the same support as any other Medibank customer and ahem.”
Class actions are approaching
The revelation comes after Bannister Law Class Actions and Centennial Lawyers joined forces to investigate the serious data breach for a potential class action against the health insurance giants.
Bannister Law director Charles Bannister said news.com.au’s lawyers had already been “inundated” with potential claimants, and said countless clients had already been seriously affected by the hack.
“There are understandably distressed victims of domestic violence in terms of their address details being known. We are seeing widespread problems,” he said.
“Some people literally live in fear of their lives if their addresses are made public, others live in fear of public ridicule, losing their jobs and having their relationship broken up if their sensitive medical information is made public.
“Others are at risk of being blackmailed if their HIV status or other health information is made public. Some of Medibank and ahm’s customers will be police or security officers who are at great personal risk if their personal details and the details of their close relatives are made public.”
Bannister Law Class Actions and Centenary Attorneys are now preparing legal proceedings to initiate a class action and expect to file proceedings shortly. Legal firms are urging all current and former Medibank and ahm customers affected, including international customers register here
Originally published as New twist in Medibank hack nightmare as email reveals staff details also compromised