Medibank Data Breach
Greg Williams 16 November 2022
Quite rightly, we have had a number of current and former Medibank customers who have contacted us for advice as to what they should do to protect themselves. In light of the previous Optus data breach, the opportunity for scammers in Australia has now reached next level. And it was already bad enough! Here is our advice, noting that less is more....
Contact your Bank
Show them the emailed letter you received from Medibank
Express your concern that a scammer may try and use your stolen ID to contact your bank and steal your money
Ask your bank what they are doing to protect your funds
Insist that your bank agrees not to make any changes to your Internet Banking without you calling in to your branch and identifying yourself
Insist on that advice in writing
Contact your Mobile Phone Provider
Show them the emailed letter you received from Medibank
Express your concern that a scammer may try and use your stolen ID to contact your Telco and steal (port) your mobile number
Ask your what they are doing to prevent your mobile number being ported to another phone without your explicit consent
Insist that your Telco agrees not to make any changes to your phone service without you calling in to your Telco's closest office personally and identifying yourself
Insist on that advice in writing
What are scammers likely to do with your stolen identity?
As above, they could try and use your credentials to access your bank account. We don't see this as particularly likely with the stolen Medibank data (more on that topic below) but if you are also an Optus customer then the combined data breach, especially if it involves your driver's licence and/or your credit card details then it is much easier for a scammer to convince your bank that they are you, particularly online.
They could use your credentials to open multiple bank accounts online. Banks do not take the same approach for opening bank accounts online as they do when you walk into a branch. Some would say they are careless, lazy or greedy, or perhaps all three! This won't necessarily affect you directly because those accounts they open in your name are more likely to be used to steal money from other bank customers.
They could use your credentials to steal your phone number. The scammer will generally need your drivers licence to do this but we have seen nine occasions this year where both Telstra and Optus have allowed mobile numbers to be stolen where the scammer then uses your mobile number to verify their stolen credentials, again, always online. Genuine customers port mobile numbers to new phones every day, just think about the short useful life of a mobile phone, how many mobile phones are in use in Australia, how competitive the industry is and how lax data security is, and you can see why this is a massive issue in Australia and around the world. Even if the typical mobile phone was useful for 5 years (lol) that would mean 4 million phone numbers ported every year which is more than 10,000 number ported every day of the week!
Note that this is not an exhaustive list, this is just what we are seeing in our market.
Breaking down the Medibank advice
Let me explain. No, there is too much. Let me sum up. Seriously, what is it with Banks, Government and pretty much any large organisation? It's pretty clear they want to be able to say "I told you so" so that if you get scammed, it's not their fault! The Medibank breach is a case in point.

What data has been stolen?
Medibank makes a reasonably firm statement in this regard
first name and surname
gender
date of birth key identity data
email (where you have provided it to us) crucial information but unclear
address
phone number (where you have provided it to us) again, crucial but unclear
policy number
Live Better activities & rewards data (where this applies to you)
If they are going to write to you personally they must know whether or not they recorded your email address and phone number and therefore whether or not it has been compromised. Best to assume they gave up both
What data "may" have been stolen?
They have used the expression We believe the criminal has not stolen: which are weasel words at best. They must know!
Credit card and banking details if you gave them this information, chances are the scammer has it
Your health claims data
Primary identity documents, such as a driver's licence. Medibank does not collect primary identity documents for Australian resident customers except in exceptional circumstances surely this should be under the heading "What has not been stolen" it is unclear what they mean by "exception circumstances" and again, if they are writing to you personally, they know, one way or the other.
Health claims data for extras services (such as dental, physio, optical and psychology).
Obviously giving up your health data is bad, it is unclear how a scammer might use this data, their focus is on stealing money so no biggie
Identity Protection
Good advice, sure, but too little too late. The best way to protect your identity is not to give any information to Medibank or Optus!
"The federal government has issued a fact sheet about this cybercrime event and the steps you can take to safeguard your data.
You can view it here" wow, good luck wading through all of those web pages and links"We have engaged IDCARE – Australia's national identity and cyber support community service – to assist all customers who have concerns about the exposure of their data. To access this free service, visit the dedicated page for Medibank and ahm customers" this is a better page to read but still way too much information via the contained links. Kudos to IDcare though.
"Extra precautions you can take"
We recommend being vigilant with all online communications and transactions, namely:
Being alert for any phishing scams that may come to you by phone, post or email
Trust no phone call, SMS or emailMaking sure to verify any communications you receive to ensure they are legitimate
Being careful when opening or responding to texts from unknown or suspicious numbers
Regularly updating your passwords with ‘strong’ passwords, not re-using passwords and activating multi-factor authentication on any online accounts, where available.
Medibank will never contact you asking for your password or sensitive information