REvil-hit Medibank to pull plug on IT, shore up defenses

Australian health insurance company Medibank will take all of its IT systems offline and close its branches over the weekend as part of its ongoing efforts to improve security and recover from a massive data security breach in October.

The planned outage, dubbed Operation Safeguard, begins at 2030 Sydney time on Friday, December 9. The insurer said it expects all systems to be back online by Sunday "at the latest."

Microsoft's response team will show up at the insurer's Melbourne headquarters to help with the security overhaul.

"While there has been no further suspicious activity detected inside our systems since 12 October 2022, as part of the next stage of our work we are undertaking maintenance across some of our systems to further strengthen security," Medibank said in its most recent update.

The Oz outfit also added two-factor authentication in its contact centers, according to the alert. 

"Since the cybercrime we have bolstered existing monitoring, added further detection and forensics capability across the Medibank system and network and have scaled up analytical support via specialist third parties," the alert states, noting that it's continuing to investigate customer information dumped on the dark web by crooks.

Late last week, those criminals, Russia's REvil ransomware gang, shared what they claimed to be the rest of the exfiltrated personal and health data, adding: "Case closed."

At the time, Medibank disputed this claim, and in today's update it said "we can confirm that the number of customer files stolen remains unchanged."

Medibank previously said thieves stole data belonging to nearly 10 million of its current and former customers. The insurance giant has refused to pay a ransom to the extortionists.

• Medibank prognosis gets worse after more stolen data leaked
• Australia to 'stand up and punch back' against cyber crims
• Australia blames Russia for harboring health insurance hackers
• Breached health insurer won't pay ransom to protect customers, warns of more attacks

The health insurer first admitted it had been attacked on October 13. At the time it said it had taken down systems that run two sub-brands as a precaution, and that no customer data had been accessed at either those brands or Medibank itself.

About a week later it revised the earlier assessment and said extortionists had been in contact to negotiate a deal for the return of patient data. At this point Medibank said 100 records were revealed by the data thieves – some including information about medical treatments customers had undergone.

By the end of October, this health insurance giant had disclosed that "personal data and significant amounts of health claims data" was stolen across all three brands. 

Last week, Australia's data protection agency formally launched a probe into Medibank's data privacy and security practices that led to the security breach. 

If the Office of the Australian Information Commissioner finds "serious and/or repeated" privacy-related offenses, it may seek civil penalties of up to $2.2 million for each violation. ®