Create a free account, or log in

Medibank, Woolworths hacked as 2022 becomes Australia’s worst year for cyberattacks

The identity of nearly one in two Australians has been embroiled in several high-profile cybersecurity breaches spanning telecommunications, health and retail this year.
Fallback Image
Emma Elsworthy
cyberattacks
No customer data appears to have been accessed in Medibank's breach, the CEO confirmed.

It’s shaping up to be Australia’s most dangerous year for cyberattacks as the identity of nearly one in two Australians has been embroiled in several high-profile company breaches spanning telecommunications, health and retail.

Cybersecurity expert and founder of StickmanCyber Ajay Unni says the key takeaway for business is that a transparent, proactive and accountable reaction to a cyberattack is the best way to protect the reputation and operation of an organisation moving forward.

“Communication is key in any incident including cyber, or the public will speculate and draw their own conclusions leading to erroneous information being circulated,” he said.

“Being on the front foot and taking action, even when it may be disruptive to business, along with keeping customers and the public up-to-date is a step in the right direction.

So what is the first thing a business should do if it was the victim of a cyberattack? Simple, Unni says — report it immediately.

“Businesses, regardless of their size and scale, need to at least inform the Office of Australian Information Commission of a suspected or confirmed breach while also requesting assistance from the Australian Cyber Security Centre and any third parties who can help with the investigation and remediation.”

Here are five businesses that have been hacked in the last two months.

Medibank

The private health insurer became the latest organisation to be targeted by a cyberattack after it detected unusual activity in the network on Wednesday, immediately taking the ahm and international student policy systems — along with its data — offline.

However, no customer data appears to have been accessed in the breach, Medibank CEO David Koczkar said in a statement, though he added that “our investigation is ongoing”.

“As we continue to take decisive action to safeguard our networks and systems, we will take any steps necessary to protect the data of our customers, people and other stakeholders,” Koczkar said.

“We will keep everyone updated as we learn more in the coming days.”

Senior figures engaged the Australian Cyber Security Centre, APRA, Office of the Australian Information Commissioner, Private Health Insurance Ombudsman, the Department of Health and the Department of Home Affairs to ensure regulators and others were across the attack.

“We will also share technical information with peers across the industry as part of our commitment to helping others understand how this incident transpired and to allow our industry peers to bolster their own defences,” Medibank said in a statement.

Optus

In September the telco suffered the worst cyberattack in Australian history when the details of 9.8 million people were accessed including names, dates of birth, phone numbers, email addresses and, for some, driver’s licences or passport numbers.

Of the victims, some 17,000 current Medicare ID numbers were exposed, while another 26,000 expired ID numbers were also accessed, though the telco assured people that hackers could not access their Medicare details with just a number.

After copping some criticism for its response to the attack, Optus announced international professional services firm Deloitte would conduct an independent external review of the incident, as well as its security systems, controls and processes.

Optus CEO Kelly Bayer Rosmarin said the telco, which is owned by Singapore-based parent Singtel, was “deeply sorry” and recognised the “significant concern” the mammoth breach has caused.

“This review will help ensure we understand how it occurred and how we can prevent it from occurring again,” she said.

“It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyberattack exists.

“I am committed to rebuilding trust with our customers and this important process will assist those efforts.

Optus vice president of regulatory and public affairs Andrew Sheridan added that the company “welcomes” proposed changes to data sharing regulations that will allow businesses to share information with approved financial institutions and government agencies to act swiftly in the case of an attack.

It came as Dialog, an Australian IT services company that is a subsidiary of Singtel, was also the subject of a cyberattack in September in which a third party accessed the data of 20 clients and 1000 current and former employees.

Woolworths

The personal details of 2.2 million customers were exposed at the weekend after the Woolworths-owned retail shopping site MyDeal was hacked via a compromised user credential.

The customer names, email addresses, phone numbers and delivery addresses, as well as birth dates for people who had to verify their ages when buying alcohol, were revealed in the attack, though more than half (1.2 million) only had an email address exposed.

MyDeal does not store payment information, driver’s licence or passport details, and no passwords were revealed in the attack, according to the Woolworths Group.

Woolworths has owned an 80% stake in the company since September after an audacious takeover reportedly worth more than $200 million, though the MyDeal systems are not integrated with Woolworth’s own.

MyDeal chief executive Sean Senvirtne apologised to customers for the major data breach and vowed to review cybersecurity measures at the online retailer.

“We will continue to work with relevant authorities as we investigate the incident and we will keep our customers fully informed of any further updates impacting them,” he said.

Telstra

Australia’s largest telco confirmed that 30,000 current and former employees had been the victim of a small data breach after a third-party organisation accessed staff records dating back to 2017.

The hack only resulted in the names and email addresses of staff being leaked and posted on a hacking forum called Breached, which was also used during the Optus hack.

“We believe it’s been made available now in an attempt to profit from the Optus breach,” a spokesperson said.

In a tweet, Telstra said the hack wasn’t a breach of any Telstra system, and that no customer account information was included, though 12,800 of the employees named were current employees.

“We’ve told our employees as well as the authorities first and while there’s minimal risk to former employees, we’ll attempt to notify them too,” the tweet read.

Telstra urged anyone affected by the breach to “remain vigilant about any unexpected communications” in the aftermath.

Costa Group

The mushroom production company was the victim of “a malicious and sophisticated IT phishing attack” in August that may have exposed the personal and sensitive information of workers on Costa’s Australian berry farms.

It may have included passport details, banking details, superannuation details and tax file numbers of employees directly hired by Costa’s berry category since 2013 or who had provided by labour-hire organisations since 2019.

Costa said the attack — which appears to have happened to a server in Costa Corindi NSW — and the subsequent safeguarding of systems slowed operations and required the use of manual workarounds at certain sites and delayed some deliveries.

“Although only approximately 10% of the data on the file server was accessed, it is not clear what specific data was accessed due to the hacker encrypting their downloads,” the statement continued.

“This information was collected in the first instance to satisfy certain laws relating to the employment of citizens and non-citizens and has been retained as per relevant record retention requirements.”