Medibank detected ransomware 'precursor' activity

Medibank has provided more details of a cyber incident last week, saying it detected precursor activity consistent with a ransomware attack.

CEO David Koczkar said no customer data was taken and that the insurer had since brought its customer-facing systems back online. It had taken some systems offline immediately after monitoring systems detected the “unusual activity”.

“We have contained the ransomware threat but remain vigilant and will take the necessary steps in the future to protect our operations and customer data," Koczkar said.

In a brief chronology of events, Medibank said it first detected “unusual activity” on its servers on Wednesday last week, leading its cyber security team to commence incident response, with the support of partners. 

“Later that evening, we identified the unusual activity was focused on the IT infrastructure we use to support our ahm and international student customer policy management systems.”

Medibank made the decision to temporarily block and isolate access to the two systems and entered into a trading halt while the activity was investigated, Koczkar said.

The customer-facing systems “were restored on new IT infrastructure” enabling business to resume as usual by Friday last week.

He added Medibank started to communicate with its customers via emails and texts on the Thursday, to keep them informed about the incident.

Answering questions from investors, Koczkar said Medibank is aware of how attackers were able to gain access to its systems.

“We believe ... one [set] of our credentials was compromised, but we've got an ongoing investigation into exactly what happened," he said.

"We've taken all necessary steps to address this.”

He said the company found no evidence of access to customer data “but that is subject to our continuing forensic analysis”.

He said Medibank is “very happy with how we sit in terms of our ability to respond to a cyber incident” but noted the incident will lead to “some learnings”.

Koczkar said no significant costs related to the incident are expected.

He thanked the Australian Cyber Security Centre (ACSC), regulators and government departments "who have contributed to and supported our response and work so effectively with us.”

“We will also share technical information with our peers as part of our commitment to helping others understand this incident and allow them to bolster their own defences," he said.

Koczkar also thanked customers for their patience.