The private health insurer has been caught up in another major cybersecurity breach, falling victim to the same vulnerability that has two of the big four accounting firms on edge.
Last week the FBI and the US Cybersecurity and Infrastructure Security Agency, along with the UK’s National Cyber Security Centre, announced warnings about new Russian cyber security attacks.
Medibank has confirmed to The Australian it is a customer of US file transfer service MOVEit, which has been broken into by Russian criminal group CL0P after vulnerabilities were discovered in the software.
This the second major cybersecurity incident to land at Medibank, which last year was the target of one of Australia’s largest ever breaches involving 9.7 million customers.
Ipswitch, the local owner of MOVEit and a subsidiary of Progress Software, reached out to Medibank to confirm their product had vulnerabilities, a Medibank spokeswoman said.
“We were advised by the vendor Ipswitch about some vulnerabilities discovered in MOVEit – a software system we use to share information with external parties – and have promptly applied all the vendor’s recommended security patches,” she said.
“We continue to investigate and work closely with the vendor, and at this stage we are not aware of any of our customers’ data being compromised.”
Sky News Australia revealed late on Monday that Medibank had been involved in the hack, which The Australian confirmed directly with the private health provider.
Major accounting firms PricewaterhouseCoopers and EY, and the US Department of Energy, who are all customers of Progress Software’s MOVEit, have been caught up by the vulnerabilities.
The Russian gang behind the breach, CL0P, is a ransomware as a service (RaaS) group that surfaced in 2019 and is known for encrypting victim files and demanding a ransom payment.
In March, it was revealed Crown had also been hit with a ransom demand by the Russian gang, after it breached a third-party file transfer service called GoAnywhere.
A couple of weeks later, CL0P uploaded a small number of Crown files to the dark web, including employee attendance records and customer membership numbers.
Crown was one of about 130 firms, including Rio Tinto, which the gang claimed to have hacked.
Rio Tinto chief security officer Scott Brown confirmed the hack in March in a company memo sent around to employees.
“This data relates to certain records processed by our payroll services team in January 2023 (such as pay slips and overpayment letters) for a small portion of past and present employees based in Australia, who received these records by post,” he wrote.