Medibank breach linked to 11,000+ other cyber incidents

Why do data breaches fuel cybercrime?

In this webinar recording, we do a deep dive that answers the question. But we’ll recap here, too.

What we mean by ‘data breach’

First, it’s important to note that data can end up in the wrong hands for a variety of reasons. In our conversation with CipherStash’s Dan Draper, he explained that there’s a spectrum ranging from accidental exposure to malicious theft.

“When we say ‘breach,’ we could mean something as sinister as an attack but we could also just mean quite simply that information has been made visible – likely inadvertently – to somebody who really shouldn’t have had access.” – Dan Draper, Founder and CEO of data security company CipherStash

Two examples of this spectrum:

1. The Service NSW data breach, in which a “technical issue” exposed customers’ data for roughly an hour and a half.
2. The Medibank attack, in which cybercriminals hacked Australia’s largest health insurer and demanded $15 million in exchange for not publishing customers’ sensitive medical and financial information.

One of the primary concerns in the aftermath of a data breach is the potential for identity theft and financial fraud. Cybercriminals can use stolen personal information, such as names, addresses and financial details, to open fraudulent accounts, apply for loans or engage in other illicit activities. Even seemingly innocuous data points can be combined and enriched to create sophisticated scams targeting individuals and businesses.

But the implications extend far beyond financial fraud. Stolen data can also be used for extortion attempts, phishing campaigns, and other malicious activities designed to exploit vulnerabilities and extract value from unsuspecting victims.

How data goes from exposed to exploited

Further cybercrime risks are significantly higher in examples like the Medibank attack, but stolen data doesn’t need to come from one of Australia’s most notorious ransomware attacks in order to end up on the dark web. In fact, there’s so much ill-gotten data available on the dark web and in private scammer circles that much of it is traded at relatively cheap prices.

Whether it’s circulated within cybercrime forums or simply seized upon by a single opportunistic fraudster, ill-gotten data doesn’t need to be comprehensive to be useful. Cybercriminals often only need a single piece of information to assemble a very clear picture of their targets – this could mean leveraging the data to infiltrate other systems, or it could mean using the data to tailor their scamming tactics and more easily deceive their target.

“Hackers don’t come in directly for your bank account,” explained Bastien Treptel, co-founder of CTRL Group and former black-hat hacker, during a CommBank security panel at Sydney SXSW 2023. “We’re going to go for your Spotify account and find out what your password is. We’re going to look on the dark web and find all these other copies of your identity. We’re going to use AI to do that in 30 seconds or a minute.

“Then, we’re going to build a profile of you and come in via Instagram… get access to your phone, realise you’ve been part of the Optus breach, then get access to your phone password, then reset your CommBank SMS code, and then just pull the money out of your account.”

Treptel also emphasised that artificial intelligence (AI) is making these pathways even easier for cybercriminals to exploit bits of personal information.

“AI is getting quite imaginative at creating these new attacks. You can now say to a dark version of GPT, ‘Hey, I’ve got this information about this person. How could I extort them? How could I steal some money from them? How could I leverage their access? Who do they know?’”

In other words, one data breach can beget other breaches or cybercrimes. A single exposure can create massive ripple effects.

What we know about the links between cybercrime and the Medibank breach

If a small and inadvertent breach can have major ripple effects, then it’s not hard to see how a devastating attack like that of Medibank – which impacted over 9.7 million customers – can create an even greater volume of scam attempts, identify theft, fraud and cybercrime.

Recent disclosures from Operation Guardian appear to support that notion.

What is Operation Guardian?

Operation Guardian is a collaborative effort involving federal, state, and territory police agencies, as well as other organisations. It was initially established to monitor and address the misuse of personal information following the Optus data breach in 2022, but its scope quickly expanded to encompass the Medibank, MyDeal, Latitude Financial and GoAnywhere breaches.

VIC police link the Medibank breach to 11,000 cybercrime incidents

In late 2023, the Joint Committee on Law Enforcement opened a parliamentary inquiry into cyber readiness, soliciting submissions from the community and law enforcement agencies.

In their submission, Victoria Police linked major cyber attacks to knock-on incidents like identity theft or phishing attempts.

“Recent attacks illustrate the severity [of cyber attacks],” reads the submission. “The Optus and Medibank Private data breaches impacted over 942,000 Victorians, many of whom continue to turn to Victoria Police for advice and support as they are at risk of identity crime.

“Operation Guardian has so far linked over 11,000 cybercrime incidents to the Medibank data breach.”

The delicate interconnectedness of security: higher risks for businesses and individuals

One data breach can have ripple effects that extend far beyond its initial impact – and it’s a concept that applies to almost every security incident.

Just as stolen data can create higher scam risks even for those who weren’t impacted in the initial breach, a single compromised system or deceived employee can jeopardise entire ecosystems of businesses and organisations.

Even if your organisation’s cyber defences and control procedures are air-tight, how do you know that all of your vendors’ defences are equally robust? Are you positive that all of your procedures have been designed to combat fast-evolving threats like AI-enabled scams? Often, all that cybercriminals need is one employee to click the wrong link or input the wrong payment details.

Unfortunately, accounts payable (AP) and finance employees are on the frontlines of this type of cybercrime. As guardians of their organisations’ money, they’re popular targets for scammers.

A multi-faceted problem demands multi-faceted solutions. Generally, this means scrutinising three main areas:

1. People. Are your AP or finance teams trained to recognise red flags and scam attempts? When was the last time they were trained and did that training include emerging threats like AI? The more employees understand how sophisticated tactics can be, the more they’re likely to question unusual requests or messages.
2. Processes. Are you segregating duties? How much of your payment process has an audit trail? How easily could a scammer use sophisticated technology or an in-depth understanding of your processes to sidestep security guardrails? One of the most effective ways to understand any potential process vulnerabilities is to put your control procedures to the test.
3. Technology. If many of your processes or detective controls are manual, you might be ceding the technological advantage to cybercriminals. Automating certain processes reduces the risk of human error or negligence, while real-time alerts or information can equip employees to make safer decisions.