From: "Medibank" <***@comms.medibank.com.au>
Subject: Confirmation of data stolen in recent cybercrime
Date: 12 November 2022 at 08:27:34 AEDT
To: xxxxxx
Reply-To: ***@Medibank.com.au


Can't read this email? Click here to view in your browser

Medibank
Reference number: xxxxxx

Dear Mr xxxxxx,

We’re deeply sorry to inform you that some data relating to your former
membership has been stolen in the recent cybercrime event.

This email details what specific membership data was stolen, outlines
actions you can take to safeguard your online identity, and the services
available through our Cyber Response Support Program.

Which of your data has been stolen
Based on our investigation, we can confirm the following data relating
to your membership has been stolen:
• first name and surname
• gender
• date of birth
• email (where you have provided it to us)
• address
• phone number (where you have provided it to us)
• policy number
• Live Better activities & rewards data (where this applies to you)

We believe the criminal has not stolen:
• Credit card and banking details
• Your health claims data
• Primary identity documents, such as a driver's licence. Medibank does
not collect primary identity documents for Australian resident customers
except in exceptional circumstances
• Health claims data for extras services (such as dental, physio,
optical and psychology).

Identity protection
The federal government has issued a fact sheet about this cybercrime
event and the steps you can take to safeguard your data. You can view it
here.

We have engaged IDCARE – Australia's national identity and cyber support
community service – to assist all customers who have concerns about the
exposure of their data. To access this free service, visit the dedicated
page for Medibank and ahm customers.

Extra precautions you can take
We recommend being vigilant with all online communications and
transactions, namely:

• Being alert for any phishing scams that may come to you by phone, post
or email
• Making sure to verify any communications you receive to ensure they
are legitimate
• Being careful when opening or responding to texts from unknown or
suspicious numbers
• Regularly updating your passwords with ‘strong’ passwords, not
re-using passwords and activating multi-factor authentication on any
online accounts, where available.

Medibank will never contact you asking for your password or sensitive
information.

Customer data on the dark web
We believe data that was stolen has been released by the criminal on the
‘dark web’. The dark web is a closed online network, often accessed for
criminal purposes. We strongly advise all affected customers to take the
precautions outlined to safeguard their online identity. We recognise
the distress this may cause you and we apologise.

The Australian Federal Police and Operation Guardian
The Australian Federal Police (AFP) have announced it will protect
Medibank customers whose personal information has been unlawfully
released online by criminals. They have taken immediate measures to
identify further criminal activity. The AFP has stated that law
enforcement will take swift action against anyone attempting to benefit,
exploit or commit criminal offences using stolen Medibank data. You can
read more about Operation Guardian here.

If a person contacts you threatening to release your data unless payment
is made, please report this immediately to ReportCyber via their website
or on 1300 292 371.

To report a scam, please do so via ScamWatch. If there is an imminent
threat to your safety, call Triple Zero.

Support for customers
We have established a Cyber Response Support Program to support our
current and former customers:

• A cybercrime health & wellbeing line – counsellors who have experience
supporting vulnerable people (such as those at risk of domestic
violence) and have been trained to support victims of crime and issues
related to sensitive health information
• Mental health outreach service – proactive support service for
customers identified as being vulnerable, or through referral from our
contact centre team
• Better Minds App – new tailored preventative health advice and
resources specific to cybercrime and its impact on mental health and
wellbeing, including tools for managing anxiety and fear, with
additional phone based psychological support available
• Personal duress alarms for customers particularly vulnerable and/or
with safety risks
• Hardship support for customers who are in a uniquely vulnerable
position as a result of this crime
• Specialist identity protection advice and resources through IDCARE’s
purpose-built page for Medibank and ahm customers
• Free identity monitoring services for customers whose primary identity
document has been compromised as a result of this crime
• Reimbursement of ID replacement fees for customers who need to replace
any identity documents that have been compromised as a result of this
crime. Please ensure you keep a copy of the receipt
• Specialised teams to help our customers who receive scam
communications or threats in relation to this cybercrime.

For further information on how to access the Cyber Response Support
Program and details of our extended contact centre opening hours, please
visit medibank.com.au/cybersecurity or call our contact centre team on
132 331.

Reach out for support
If you’re feeling distressed or anxious, please reach out. Along with
calling Medibank’s Mental Health Support line, you can contact your GP
or the following support services:

• Beyond Blue (1300 224 636 / beyondblue.org.au)
• Lifeline (13 11 14 / lifeline.org.au)

If there is an imminent threat to your safety, call Triple Zero.

Visit Medibank Cyber Event Updates and Support page:
medibank.com.au/cybersecurity

We’ll continue to post the latest information on this page, along with
answers to frequently asked questions.

Yours sincerely,
The Medibank Cyber Response Support Team

This event has been assessed as an ‘eligible data breach’ under Part
IIIC of the Privacy Act 1988 (Cth)(Privacy Act) and the Office of the
Australian Information Commissioner has been notified of this event.
This letter has been issued under section 26WK of the Privacy Act.

Timeline of events
• 13 October 2022: We announced we had identified unusual activity on
our systems and took immediate steps to contain the incident, including
engaging cyber security experts to investigate the incident.
• 19 October 2022: We received messages from the criminal that wanted to
negotiate with us regarding their alleged theft of customer data.
• 20 October 2022: We announced that the criminal had contacted us
claiming to have stolen 200GB of data, providing a sample of data
relating to 100 customer records from the ahm and international student
policy management systems.
• 25 October 2022: We announced the criminal sent a series of additional
files which included data relating to a further 1,000 ahm customer
records, as well as further data relating to Medibank, international
student and additional ahm customers.
• 26 October 2022: We announced that our investigation had established
that the criminal had access to personal data and significant amounts of
health claims data for all Medibank, ahm and international student
customers.
• 7 November 2022: We announced what customer information we believe has
been accessed and stolen by the criminal and that we would not be paying
any ransom demand for this data theft.
• 9 November 2022: We announced that we became aware that the criminal
has released files on the dark web containing customer data that is
believed to have been stolen from Medibank systems.

For the latest updates, please visit medibank.com.au/cybersecurity