How Medibank joined Optus in hack hell

The first is Confluence, made by the Australian technology giant Atlassian. It is a ubiquitous tool that companies use to store essential documentation on how their computer systems work.

Jamieson O’Reilly, the founder of an Australian firm called Dvuln that companies pay to find IT vulnerabilities, said Confluence is his first port of call after getting into a client’s systems.

“We recently did a big engagement where we got into Confluence, and we spent about two weeks just studying the way the organisation worked through Confluence, and then we could launch further attacks,” he said.

The second system referenced by the hackers is RedShift, which is a data warehouse tool from the internet giant Amazon Web Services. It is where a company could store customer data of the kind the hackers now appear to have acquired.

A source familiar with the situation, but not authorised to speak publicly, said Amazon was aiding Medibank’s investigation. There’s no suggestion Amazon or Atlassian’s security systems were breached or that there are risks for either company’s tools.

Despite the apparent severity of the breach, Medibank spent last week emphasising that it had not found evidence of any customer information being stolen. As recently as Monday this week, Koczkar was using language that made the breach look minor.

Loading

“We have no evidence that there was any access to customer data, but that really is subject to our continuing forensic analysis,” Koczkar said as analysts peppered him with questions about what the hackers had seen.

“We can say definitively that there is no evidence that customer data has been removed from our systems,” he said at another point.

Koczkar defended Medibank’s communications on Thursday, after the severity of the breach became clear.

“Our investigation has been ongoing and as these incidents are, they continue to evolve,” he said. “From the start, I committed to share updates, right when they came to light. And previous statements had been very clear that they were point in time updates.”

Home Affairs Minister Clare O’Neil, who lambasted Optus’ miscommunications, has reserved her ire for the hackers in this case. She has not said a harsh word against Medibank and declined to say whether she classified the attack on the insurer as “sophisticated” – which has become a loaded word since the Optus hack – or not.

O’Reilly says assessing the severity of the hack will depend on how Medibank secured the stolen credentials or limited their use. If they were all that was required to access its systems, then the hack was more basic than the Optus breach, he said.

“Even a 16-year-old can go and get an account on [a stolen credentials site], search for an infected computer that has Medibank credentials saved on it, and then download or purchase those credentials for like 10 bucks and then login through the front door.”

Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.

The first is Confluence, made by the Australian technology giant Atlassian. It is a ubiquitous tool that companies use to store essential documentation on how their computer systems work.

Jamieson O’Reilly, the founder of an Australian firm called Dvuln that companies pay to find IT vulnerabilities, said Confluence is his first port of call after getting into a client’s systems.

“We recently did a big engagement where we got into Confluence, and we spent about two weeks just studying the way the organisation worked through Confluence, and then we could launch further attacks,” he said.

The second system referenced by the hackers is RedShift, which is a data warehouse tool from the internet giant Amazon Web Services. It is where a company could store customer data of the kind the hackers now appear to have acquired.

A source familiar with the situation, but not authorised to speak publicly, said Amazon was aiding Medibank’s investigation. There’s no suggestion Amazon or Atlassian’s security systems were breached or that there are risks for either company’s tools.

Despite the apparent severity of the breach, Medibank spent last week emphasising that it had not found evidence of any customer information being stolen. As recently as Monday this week, Koczkar was using language that made the breach look minor.

Loading

“We have no evidence that there was any access to customer data, but that really is subject to our continuing forensic analysis,” Koczkar said as analysts peppered him with questions about what the hackers had seen.

“We can say definitively that there is no evidence that customer data has been removed from our systems,” he said at another point.

Koczkar defended Medibank’s communications on Thursday, after the severity of the breach became clear.

“Our investigation has been ongoing and as these incidents are, they continue to evolve,” he said. “From the start, I committed to share updates, right when they came to light. And previous statements had been very clear that they were point in time updates.”

Home Affairs Minister Clare O’Neil, who lambasted Optus’ miscommunications, has reserved her ire for the hackers in this case. She has not said a harsh word against Medibank and declined to say whether she classified the attack on the insurer as “sophisticated” – which has become a loaded word since the Optus hack – or not.

O’Reilly says assessing the severity of the hack will depend on how Medibank secured the stolen credentials or limited their use. If they were all that was required to access its systems, then the hack was more basic than the Optus breach, he said.

“Even a 16-year-old can go and get an account on [a stolen credentials site], search for an infected computer that has Medibank credentials saved on it, and then download or purchase those credentials for like 10 bucks and then login through the front door.”

Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.