The Medibank Data Breach (Complete Timeline of Events)

UpGuard Team
UpGuard Team
Published Nov 08, 2022

Medibank is the second Australian company to suffer a large-scale data breach in less than a month. Follow the sequence of events that unfolded during the incident.

October 12 - Suspicious Activity Detected and Reported to Medibank CEO

Medibank Chief Executive, David Koczkar, receives an internal call notifying him of suspicious activity detected inside the company’s network.

October 13 - Medibank Announces Suspicious Activity Detection to the Public

Medibank releases a public statement about a potential cyberattack but says no evidence of customer data compromise has been found.

Yesterday the Medibank Group detected unusual activity on its network.

In response to this event, Medibank took immediate steps to contain the incident and engaged specialised cyber security firms.

At this stage, there is no evidence that any sensitive data, including customer data, has been accessed.

As part of our response to this incident, Medibank will be isolating and removing access to some customer-facing systems to reduce the likelihood of damage to systems or data loss.

As a result, our ahm and international student policy management systems have been taken offline. We expect these systems to be offline for most of the day.

This will cause regrettable disruptions for some of our customers. ahm and international student customers will still be able to contact our customer teams via phone but at this stage our people won’t be able to access policy information.

- Medibank statement published at 11 am, Thursday, 13 October 2022

October 14 - Medibank Contact’s Impacted Customers

Medibank send an email to its customer base announcing the incident. Around 2.8 million emails are sent with text messages sent to customers preferring this communication method. The email echoes Medibank’s initial statement that no evidence of customer data compromise has been detected.

Example Medibank cyber attack announcement email sent to impacted customers.
Example Medibank cyber attack announcement email sent to impacted customers.

October 17 - Medibank Says Still no Evidence of Customer Data Compromise Found

Medibank releases an update saying that their investigation efforts still haven’t found evidence that customer data was compromised.

"Our ongoing investigation continues to show no evidence that any customer data has been removed from our IT environment.

"We have resumed normal activity for our customers, after temporarily removing access to some of our customer systems as a precautionary measure last week.

"We’re sorry for the inconvenience and concern this may have caused.

"Our ongoing investigation has found the unusual activity we detected in part of our IT network was consistent with a possible ransomware threat. Ransomware is a common and dangerous type of malicious software that works by locking up or encrypting files, so they are no longer accessible. Our systems were not encrypted by ransomware during this incident.

"As a further precaution, we’ve put in place additional security measures across our network and we continue to work with external cybersecurity experts and the Australian Government’s lead cyber agency, with our forensic investigation continuing.

"We remain vigilant and will take necessary steps in the future to protect your data. Although there is nothing that customers need to do, you can contact us by phone."

- Medibank update published at 11 am, Thursday, 13 October 2022

October 19 - Hackers contact Medibank

The hackers contact Medibank and provide a sample of 100 stolen customer records to prove that customer data was indeed compromised.

October 20 - Medibank Confirms that AHM Customer Data was Compromised

Medibank announces that AHM (an insurance brand backed by Medibank) customer data was compromised in the attack.

We wanted to update you on the latest development, which the Australian Federal Police is investigating as a crime.

Medibank has been contacted by a criminal claiming to have stolen data and who has provided a sample of records for 100 policies which we believe has come from our ahm and international student systems. This information includes:

- First names and surnames
- Addresses 
- Dates of birth
- Medicare numbers
- Policy numbers
- Phone numbers 
- Some claims data, including the location of where a customer received medical services and codes relating to their diagnoses and procedures.

The criminal also claims to have stolen other information, including data related to credit card security. This has not yet been verified by our investigations. 

We’re working around the clock to understand what additional customer data has been affected and how this will impact them.

We are making direct contact with the affected customers to inform them of this latest development, and to provide support and guidance on what to do next. We expect the number of affected customers to grow as the incident continues.

Medibank urges customers to remain vigilant, and encourages them to seek independent advice from trusted sources, including the Australian Cyber Security Centre at

As always, Medibank will never contact customers requesting passwords or other sensitive information.

- Medibank cyber attack update published at 1:25pm, Thursday 20 October

October 25 - Medibank Announces their Customers were also Impacted

After reviewing an addition series of files provided by the attackers, Medibank discovers that its direct customers were also compromised in the data breach.

There has been a further development in Medibank’s cybercrime event.

It has become clear that the criminal has taken data that now includes Medibank customer data, in addition to that of ahm and international student customers.

We have received a series of additional files from the criminal. We have been able to determine that this includes:

- A copy of the file received last week containing 100 ahm policy records – including personal and health claims data
- A file of a further 1,000 ahm policy records – including personal and health claims data
- Files which contain some Medibank and additional ahm and international student customer data

Given the complexity of what we have received, it is too soon to determine the full extent of the customer data that has been stolen. We will continue to analyse what we have received to understand the total number of customers impacted, and specifically which information has been stolen.

We will also continue to contact our customers as we are able to confirm whether their data has been compromised.

-  Medibank cyber attack update published at 8:30am, Thursday 25 October

October 26 - Medibank Announces the Scope of Customer Data the Hackers Accessed

Medibank releases an announcement revealing that the hackers had full access to three primary customer data categories - AHM customer data, International customer data, and Medibank customer data.

Since yesterday’s announcement, our cybercrime investigation has now established that the criminal had access to:

- All ahm customers’ personal data and significant amounts of health claims data 
- All international student customers’ personal data and significant amounts of health claims data 
- All Medibank customers’ personal data and significant amounts of health claims data

As previously advised, we have evidence that the criminal has removed some of this data and it is now likely that the criminal has stolen further personal and health claims data. As a result, we expect that the number of affected customers could grow substantially.

-  Medibank cyber attack update published at 9:30am, Wednesday 26 October

November 7 - Medibank Announces that 9.7 Million Customers were Impacted in the Data Breach

Medibank announces that 9.7 million customers were likely impacted in the data breaches. The hackers contact Medibank and threaten to publish the stolen data on the dark web unless a ransom of US$10 million is paid. Medibank refuses to pay the ransom.

Today, we’ve announced that no ransom payment will be made to the criminal responsible for this data theft. 

Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.  In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.

This decision is consistent with the position of the Australian Government. Based on our investigation to date into this cybercrime we currently believe the criminal has accessed:

- Name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives.  This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers

- Medicare numbers (but not expiry dates) for ahm customers

- Passport numbers (but not expiry dates) and visa details for international student customers 

-Health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers.  This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered.  Additionally, around 5,200 My Home Hospital (MHH) patients have had some personal and health claims data accessed and around 2,900 next of kin of these patients have had some contact details accessed

-Health provider details, including names, provider numbers and addresses

We believe the criminal has not accessed:

- Credit card and banking details

- Primary identity documents, such as drivers’ licences, for Medibank and ahm resident customers.  Medibank does not collect primary identity documents for resident customers except in exceptional circumstances  

-Health claims data for extras services (such as dental, physio, optical and psychology)

Given the nature of this crime, unfortunately we now believe that all of the customer data accessed could have been taken by the criminal.

-  Medibank cyber attack update published on 7 November, 2022

November 8 - Hackers Threaten to Publish Stolen Data in 24 Hours

Up until this point, the hackers had only shared fragments of stolen data with Medibank. In an effort to force Medibank’s hand into paying the ransom, the hackers announce that they will commence publishing increasing segments of the stolen data on a cybercriminal forum in 24 hours.

Screenshot of the original post by REvil on the dark web
Screenshot of the original post by REvil on the dark web

November 9 - Hackers Publish a Segment of Customer Data on the Dark Web

The hackers follow through with their threats and published a segment of the stolen database. The data is published across two categories, a “good list” and a “naughty list,” with the naughty list identifying customers that have undergone treatment for drugs, alcohol, and those with mental disorders.

The data is published on a ransomware leak website with ties to BlogXX - a cybergang believed to be a re-grouping of the defunct Russian ransomware gang REvil.

With the likely link to a ransomware gang and the use of extortion tactics, the incident bears all the hallmarks of a ransomware attack with the exception encryption.- possibly because the attack was intercepted before the hackers had time to encrypt Medicare’s systems.

The customer data dump included two small files of sample data, screenshots of the group's negotiations with Medibank, and two large compressed files each containing approximately 800k rows of personally identifiable information.

The directory structure of the Medibank data leak
The directory structure of the Medibank data leak

Two JSON files each contained personal information for one hundred people each. The data points included Medicare number, name, home address, date of birth, phone number, name of their medical provider, and diagnosis codes. Natural persons were easily corroborated based on the given names and addresses in the data.

Screenshot of JSON file containing sample data points. Approximately 200 fully identifiable records were posted.
Screenshot of JSON file containing sample data points. Approximately 200 fully identifiable records were posted.

“Students” and “Oscar” Collections

Far more data was contained in two compressed files. When decompressed, each contained chunks of a large data set that had been broken up into smaller CSVs. One file was named "oscar.7z" and was 224 MB compressed. The other was "students.7z" and was 20 MB compressed.

After unzipping them, oscar.7z and students.7z contained 414 and 205 files, respectively. Each of those files was a CSV with the same structure. The "oscar" files appeared to be so named because they were from an account of the Oscar CRM system. The "students" data included “oseas_stud” in the filenames, suggesting they are from a system for overseas students.

Each collection had around 800,000 rows of data. The column headers were missing, but in examining the data, the "student" collection appeared to contain names, email addresses, country of origin, dates of birth, gender, and identifiers matching the format of passport numbers.

The "oscar" collection had names, email addresses, phone numbers, ten-digit numbers that could not be validated as Medicare numbers, and other numbers without clear meanings. Some of the email addresses were repeated across rows, and not all data points were present for all people.

The cybercriminals repeated their threat to Medicare that more customer data will be published unless the ransom of US$10 million is paid.

November 10 - Hackers Publish Customer Abortion Information

The hackers publlish more customer details on the dark web. This time, its a database revealing customer information pertaining to abortions, non-viable pregnancies, ectopic pregnancies, molar pergnancies, and miscarriages.

More updates about the Medibank data breach will be published once they becomes available.

Is your organization at risk of a data breach? Click here to find out >

UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

Protect your organization

Get in touch or book a free demo.

Related breaches

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up for our newsletter

Stay up-to-date on everything UpGuard with our monthly newsletter, full of product updates, company highlights, free cybersecurity resources, and more.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating