Medibank Private — REvil-affiliated extortion

What happened

On 12 October 2022 Medibank Private, Australia’s largest private health insurer with approximately 3.7 million customers, was contacted by an attacker claiming to have stolen its data. Medibank initially stated it had found no evidence of unauthorised access to customer data; by 19 October it had confirmed the breach and disclosed that approximately 9.7 million current and former customers were affected. The stolen data included names, dates of birth, addresses, Medicare numbers, phone numbers, email addresses, and — critically — detailed health-claims records specifying medical procedures, diagnoses, and claims history.

Medibank’s board considered and publicly rejected payment of the demanded ransom, citing advice that payment did not guarantee data deletion and would encourage further attacks. This decision, publicly announced, was an extraordinary act of corporate transparency about a deeply uncomfortable choice — and the attackers treated the refusal as a trigger for an extended public punishment campaign.

Over November and December 2022 the attackers released data in curated, maximally damaging tranches via a blog on the dark web and direct communications to journalists. Early releases specifically targeted the most sensitive subsets of the health-claims data: a file labelled “abortions” containing records of patients with claims related to pregnancy termination; a file of patients with HIV-related diagnoses and treatment; records from drug and alcohol rehabilitation claims; and mental-health treatment records. The targeting of these categories was deliberate and reflected the attacker’s understanding of which data would cause the most personal harm and public reputational pressure. Named individuals contacted media about finding their own data in the published files.

In January 2024 the Australian Federal Police, working in partnership with the US Secret Service and the UK National Crime Agency, publicly named Aleksandr Ermakov, a Russian national, as the actor responsible for the breach. The Australian government simultaneously imposed targeted financial sanctions on Ermakov under the Autonomous Sanctions (Cyber-Related Activities) designation framework — the first time Australia had imposed individual cyber-specific sanctions.

How it worked

The initial access vector was a compromised credential — specifically, credentials belonging to a third-party IT service provider that had access to Medibank’s systems. The credentials were obtained via the criminal market, consistent with infostealer malware having compromised the contractor’s device at some prior point. Using those credentials, the attacker authenticated to Medibank’s systems as a legitimate user and navigated internally over a period of days before the intrusion was identified.

The credentials used provided administrative-level access to Medibank’s internal network. The attacker used this access to locate and access the ahm (Australian Health Management) and Medibank policyholder databases, which between them covered the full 9.7 million-customer scope of the breach. The attacker staged and exfiltrated the data over approximately a week before being detected.

Medibank’s detection of the intrusion came after the data had already been exfiltrated. The attacker made contact with Medibank on 12 October as a negotiating opening, at which point internal investigation confirmed the breach had occurred and data had left the environment. The attacker initially claimed to hold 200 gigabytes of data.

The technical characteristics of the intrusion — compromised third-party credentials, access to a large sensitive database, data exfiltration — are structurally similar to many other breaches in the same period. What distinguishes the Medibank case is the subsequent extortion strategy, which combined public refusal of payment with deliberately sequenced releases of the most personally damaging data categories. The attacker had categorised the health-claims data before release and had made deliberate decisions about which records to lead with for maximum leverage — a level of operational sophistication in the extortion phase that went beyond simply dumping data.

Timeline

• Unknown date, 2022 — Attacker obtains credentials for a Medibank third-party IT contractor via criminal market; credentials used to access Medibank internal systems.
• October 2022 — Attacker accesses Medibank and ahm customer databases; approximately 9.7 million customer records exfiltrated over several days.
• 12 October 2022 — Attacker contacts Medibank claiming data theft; Medibank begins investigation.
• 19 October 2022 — Medibank confirms breach publicly; discloses scope of 9.7 million affected.
• Late October 2022 — Medibank board publicly refuses ransom payment.
• November 2022 — Attacker begins publishing data tranches on dark-web blog, beginning with “abortion” and HIV categories.
• November–December 2022 — Progressive releases of sensitive claims categories; named individuals identified in published data; significant media and parliamentary attention.
• January 2024 — Australian Federal Police names Aleksandr Ermakov; Australia imposes first individual cyber-sanctions; US and UK partner designations follow.
• 2024 — Australian Office of the Australian Information Commissioner finds Medibank failed to take reasonable steps to protect personal information. Australian government passes Cyber Security Act 2024, citing Medibank and Optus breaches as direct impetus.

What defenders should learn

The entry point — a compromised third-party contractor credential — is the same vector that has driven a disproportionate share of major breaches across the last decade. Third-party access to sensitive systems is an inherent operational requirement for most large organisations, but the security controls applied to that access are frequently less rigorous than those applied to direct employees. Contractors whose credentials provide access to databases containing millions of sensitive records should face the same — or stricter — access controls as internal privileged users: MFA enforcement, access scoped to only what is operationally necessary, short-lived credentials with regular rotation, and monitoring of access patterns. A credential that can reach 9.7 million health records should not be a static password held on a contractor’s personal device.

The data categorisation and targeted release strategy used in the Medibank extortion represents a refinement of ransomware extortion tactics that healthcare organisations specifically should model. The attacker did not simply threaten to release data — they had invested time in understanding which subsets of the health-claims data were most sensitive (abortion, HIV, mental health, addiction) and used those subsets as leverage instruments. Healthcare data is categorically more sensitive than most other enterprise data because it carries personal stigma, enables discrimination, and is practically irrevocable once disclosed. This sensitivity makes health data a priority target and should drive proportionately stronger controls on how it is stored, accessed, and segmented.

Medibank’s public refusal to pay is notable and carries a difficult lesson. Australian government policy, consistent with guidance from most Western cyber agencies, is that ransom payment does not guarantee data deletion, funds criminal operations, and incentivises further attacks. Medibank accepted this and made its decision public. The consequence was real, targeted, personal harm to individuals whose most sensitive health records were published. There is no comfortable resolution to this tension — but the experience argues that the decision framework should be established in advance of a breach, with legal and crisis-communications preparation, rather than made reactively under pressure. Organisations that have pre-committed to a no-payment policy should also have prepared their public messaging and individual-notification capabilities for the scenario where the attacker publishes regardless.

Finally, the Medibank breach was the direct driver of Australia’s first individual cyber-sanctions designation. The attribution-to-sanctions pipeline — from AFP identification to government financial-penalty designation — took fourteen months. The sanctions themselves are primarily a diplomatic and deterrence instrument rather than a direct security control. But the willingness of governments to name individuals and impose targeted consequences is an element of the broader deterrence architecture that organisations operating under regulatory frameworks should be aware of: cyber extortion that affects critical national infrastructure or very large volumes of sensitive personal data now attracts law-enforcement attention at the national-security level.