Medibank says MOVEit Transfer breach compromised employees' names, emails, and phone numbers

Australian private health insurance provider Medibank Private said that the sensitive personal data of its staff members was compromised after its property manager suffered a major breach as a result of the exploitation of a vulnerability in the MOVEit Transfer application.

In a statement shared with Reuters, a Medibank spokesperson said that one of its property managers used the MOVEit Transfer software to send and receive files securely. One of the files the threat actors accessed contained Medibank employees’ names, email addresses, and phone numbers.

“We were advised by the vendor Ipswitch about some vulnerabilities discovered in MOVEit — a software system we use to share information with external parties — and have promptly applied all the vendor’s recommended security patches.

“We continue to investigate and work closely with the vendor, and at this stage, we are not aware of any of our customers’ data being compromised,” the spokesperson said.

Medibank has, however, added that the compromised file did not contain any bank details, payroll information, or home addresses of employees. “Medibank systems have not been impacted by the MOVEit cyberattack,” the spokesperson added.

Last year, Medibank Private suffered a massive ransomware attack that forced it to take certain systems offline to protect customers’ information. The ransomware attack reportedly impacted close to ten million current and former customers of the insurance giant.

Though the company managed to isolate its systems after discovering the attack, the attackers had by then successfully exfiltrated the data of around 5.1 million Medibank customers, 2.8 million ahm customers, and 1.8 million international customers.

After Medibank refused to pay a ransom of USD 10 million demanded by a Russia-based cybercriminal group, the gang leaked a huge tranche of stolen data on the Dark Web. This data set included confidential and sensitive personal and healthcare information of those who availed of Medibank’s services.

Australian law firms Baker McKenzie, Maurice Blackburn Lawyers, Bannister Law Class Actions and Centennial Lawyers filed four different class action lawsuits against the health insurer for failing to protect customer information.

“The Medibank Private data breach was among the worst in the nation’s corporate history, affecting the private information of millions of retail customers across Australia and overseas,” a Baker McKenzie spokesperson said.

“In launching this class action in the federal court, Baker McKenzie is to provide affected individuals with an avenue for redress and compensation for the loss and distress caused by Medibank Private’s alleged failings.”