Medibank Breach - Compromised Velocity Accounts Locked

[Sprucegoose]

I’ve heard some press reports that as part of a data leak VA have suspended some Velocity accounts. I am sure there will be further confirmation and a response to this shortly.

 

[lewyVA]

I just got an email from Velocity- it's related to the Medibank hack. I had given Medibank my data inc. Velocity number for a sign up bonus. Interesting that Velocity have told me and not Medibank- their communication is quite detailed and considered. My account is currently locked and I will be issued a new Velocity number in due course. Having been part of the Optus then Medibank data breaches, I have to say that the Velocity email is far and away the most comprehensive, although it's perhaps simpler for them given that only 1 piece of data (the FF Number) is compromised.

The only thing that I'm vaguely annoyed about is I know my current number by heart and don't want to learn a new one!

 

[Sprucegoose]

I just got an email from Velocity- it's related to the Medibank hack. I had given Medibank my data inc. Velocity number for a sign up bonus. Interesting that Velocity have told me and not Medibank- their communication is quite detailed and considered. My account is currently locked and I will be issued a new Velocity number in due course. Having been part of the Optus then Medibank data breaches, I have to say that the Velocity email is far and away the most comprehensive, although it's perhaps simpler for them given that only 1 piece of data (the FF Number) is compromised.

The only thing that I'm vaguely annoyed about is I know my current number by heart and don't want to learn a new one!

I have some sympathy with you on the annoyance getting a new number. Good to see VA advising comprehensively, noting they are a necessarily involved third party but still take their customer facing obligations seriously.

The government will most probably (appropriately) legislate a response shortly to these types of breaches.

 

[RadioBusinessTraveller]

I just got an email from Velocity- it's related to the Medibank hack. I had given Medibank my data inc. Velocity number for a sign up bonus. Interesting that Velocity have told me and not Medibank- their communication is quite detailed and considered. My account is currently locked and I will be issued a new Velocity number in due course. Having been part of the Optus then Medibank data breaches, I have to say that the Velocity email is far and away the most comprehensive, although it's perhaps simpler for them given that only 1 piece of data (the FF Number) is compromised.

The only thing that I'm vaguely annoyed about is I know my current number by heart and don't want to learn a new one!

I’m in exactly the same boat.
Agree it will be annoying to have to remember a new membership number, but good to see Velocity are on top of this.

Here’s the email details

We are contacting you in relation to the cybercrime event recently experienced by Medibank.

Medibank has just advised us that you are one of a small number of Velocity Frequent Flyer members who may have had your Velocity membership number accessed as part of this event.

We are acting swiftly to protect your Velocity account from unauthorised activity and have locked your account as a precautionary measure, while we issue you with a new Velocity membership number.

Keeping your account safe from unauthorised activity is our priority and we apologise for any inconvenience caused.

What impact will this have on me?
This will have no impact on your Velocity Points balance, your ability to travel with Virgin Australia, having your member status recognised (including access to lounges as applicable) or your ability to earn Velocity Points. Your ability to log in to your account and redeem Points will be impacted while your account is locked and we will be in touch as soon as possible to issue you with a new Velocity membership number.

What action do I need to take?
You do not need to take any further action in regards to your account right now.

Your account has been locked and we will be in touch in coming days regarding your new Velocity membership number and how to activate your new account.

If you have any questions, please call us on 13 18 75.

Sincerely,

Velocity Frequent Flyer

 

[Scr77]

I’m impressed that VA are so proactive. Can you imagine QF doing anything about this?

 

[tdimdad]

I’m impressed that VA are so proactive. Can you imagine QF doing anything about this?

QF or many other companies, for that matter. It sounds like VA execs and/or board understand something about security or try to pay better attention to it. It's refreshing to see.

 

[Sprucegoose]

I’m impressed that VA are so proactive. Can you imagine QF doing anything about this?

I think you are too hard on the Red Rat.

From my perspective, QAN performs well at the upper end of the relationship spectrum and especially with the government. Indeed you could say they are becoming a match fit in all areas; despite the initial public lashings, a profit lift, wholesome forecasts and bonuses awarded - the corporate world is not a straight line.

I expect data integrity to be discussed at every board meeting in every company.

 

[Bagpuss]

I expect data integrity to be discussed at every board meeting in every company.

Totally off subject, I can confirm it isn't. Lots of company are poor at risk management

 

[antycbr]

QF or many other companies, for that matter. It sounds like VA execs and/or board understand something about security or try to pay better attention to it. It's refreshing to see.

I’d like to see multi factor authentication on FF accounts before you do a redemption in particular. At least VA have moved on from a 4 digit pin.

 

[MARTINE]

Lots of company are poor at risk management

Unless it comes to viability of future executive bonuses then risk is well managed

 

[ozstamps]

Sad to hear that.

Gotta ask -- what on EARTH right does any health provider have to ask for FF numbers??????

They do not ask what footy team you support, or what beer you drink etc?

 

[Sprucegoose]

Sad to hear that.

Gotta ask -- what on EARTH right does any health provider have to ask for FF numbers??????

They do not ask what footy team you support, or what beer you drink etc?

Good question. I suspect it's a points reward for an initial (?) membership.

Should the information be retained if it is no longer required? At least our metadata is destroyed after two years, so why should any database hold any data if it is no longer necessary?

 

[oz_mark]

Sad to hear that.

Gotta ask -- what on EARTH right does any health provider have to ask for FF numbers??????

They do not ask what footy team you support, or what beer you drink etc?

150,000 points may have been enough reason for some. Medibank Velocity Promotion

 

[lewyVA]

150,000 points may have been enough reason for some. Medibank Velocity Promotion

What he said! (+ SC at the time of my application)

 

[jase05]

Sad to hear that.

Gotta ask -- what on EARTH right does any health provider have to ask for FF numbers??????

They do not ask what footy team you support, or what beer you drink etc?

I changed over to Medibank at they time they were giving 150k VFF points away so they obviously required the FF number.

 

[AustraliaPoochie]

Totally off subject, I can confirm it isn't. Lots of company are poor at risk management

Yep, Optus and Medibank could have used encryption or something else AI wise to secure the data.
But in turn, all the data was so easy first for the scammer to obtain, and then to just dump or drop the data into easy read open file, for every lower scale scammer, ie, the no main scammers who did the breach, to use the data.
We have come so far, AI wise, facial recognition in CH, for eg, that the data breach with Optus/Medibank/Telstra (staff data) seem so easy to do.
OffT, edit: now we have news of VFF's nemesis, ie, WW's WWR/EDR accounts being hacked/points being used by other people than the bona fide holder of the account.
WWR now needs Aust phone number to send 2fa to do log in, which should have been done long ago, of course, this does not avert porting of phone number/phone service provider.
At least with FB, there is occasional 2fa with sms code needed to do certain things.OnT.

 

[oz_mark]

Yep, Optus and Medibank could have used encryption or something else AI wise to secure the data.

They may have, but encryption is not the be all and end all of security. Even if it is encrypted, anyone, or anything, with sufficient access will be able to view it unencrypted.

 

[Sprucegoose]

Totally off subject, I can confirm it isn't. Lots of company are poor at risk management

And a totally OT response……I must agree. It’s frustrating to watch constantly, the flip side is I can now afford shoes and meals from assisting those in the doggy doo doo…..

 

[MARTINE]

Thanks Medibank, just got this email.
I guess I’ll have to seek legal advice on how to proceed from here

We’re deeply sorry to inform you that some data relating to your membership has been stolen in the recent cybercrime event.



This email details what specific membership data was stolen, outlines actions you can take to safeguard your online identity, and the services available through our Cyber Response Support Program.



Which of your data has been stolen

Based on our investigation, we can confirm the following data relating to your membership has been stolen:

• first name and surname

• gender

• date of birth

• email (where you have provided it to us)

• address

• phone number (where you have provided it to us)

• policy number

• Live Better activities & rewards data (where this applies to you)



We believe the criminal has not stolen:

•	Credit card and banking details
•	Your health claims data
•	Primary identity documents, such as a driver's licence. Medibank does not collect primary identity documents for Australian resident customers except in exceptional circumstances
•	Health claims data for extras services (such as dental, physio, optical and psychology).

Identity protection

The federal government has issued a fact sheet about this cybercrime event and the steps you can take to safeguard your data. You can view it here.



We have engaged IDCARE – Australia's national identity and cyber support community service – to assist all customers who have concerns about the exposure of their data. To access this free service, visit the dedicated page for Medibank and ahm customers.



Extra precautions you can take

We recommend being vigilant with all online communications and transactions, namely:

•	Being alert for any phishing scams that may come to you by phone, post or email
•	Making sure to verify any communications you receive to ensure they are legitimate
•	Being careful when opening or responding to texts from unknown or suspicious numbers
•	Regularly updating your passwords with ‘strong’ passwords, not re-using passwords and activating multi-factor authentication on any online accounts, where available.

Medibank will never contact you asking for your password or sensitive information.



Customer data on the dark web

We believe data that was stolen has been released by the criminal on the ‘dark web’. The dark web is a closed online network, often accessed for criminal purposes. We strongly advise all affected customers to take the precautions outlined to safeguard their online identity. We recognise the distress this may cause you and we apologise.



The Australian Federal Police and Operation Guardian

The Australian Federal Police (AFP) have announced it will protect Medibank customers whose personal information has been unlawfully released online by criminals. They have taken immediate measures to identify further criminal activity. The AFP has stated that law enforcement will take swift action against anyone attempting to benefit, exploit or commit criminal offences using stolen Medibank data. You can read more about Operation Guardian here.



If a person contacts you threatening to release your data unless payment is made, please report this immediately to ReportCyber via their website or on 1300 292 371.


To report a scam, please do so via ScamWatch. If there is an imminent threat to your safety, call Triple Zero.



Support for customers

We have established a Cyber Response Support Program to support our current and former customers:

•	A cybercrime health & wellbeing line – counsellors who have experience supporting vulnerable people (such as those at risk of domestic violence) and have been trained to support victims of crime and issues related to sensitive health information
•	Mental health outreach service – proactive support service for customers identified as being vulnerable, or through referral from our contact centre team
•	Better Minds App – new tailored preventative health advice and resources specific to cybercrime and its impact on mental health and wellbeing, including tools for managing anxiety and fear, with additional phone based psychological support available
•	Personal duress alarms for customers particularly vulnerable and/or with safety risks
•	Hardship support for customers who are in a uniquely vulnerable position as a result of this crime
•	Specialist identity protection advice and resources through IDCARE’s purpose-built page for Medibank and ahm customers
•	Free identity monitoring services for customers whose primary identity document has been compromised as a result of this crime
•	Reimbursement of ID replacement fees for customers who need to replace any identity documents that have been compromised as a result of this crime. Please ensure you keep a copy of the receipt
•	Specialised teams to help our customers who receive scam communications or threats in relation to this cybercrime.

For further information on how to access the Cyber Response Support Program and details of our extended contact centre opening hours, please visit medibank.com.au/cybersecurity or call our contact centre team on 132 331.



Reach out for support

If you’re feeling distressed or anxious, please reach out. Along with calling Medibank’s Mental Health Supportline, you can contact your GP or the following support services:

•	Beyond Blue (1300 224 636 / beyondblue.org.au)
•	Lifeline (13 11 14 / lifeline.org.au)

If there is an imminent threat to your safety, call Triple Zero.



Visit Medibank Cyber Event Updates and Support page: medibank.com.au/cybersecurity

We’ll continue to post the latest information on this page, along with answers to frequently asked questions.



Yours sincerely,

The Medibank Cyber Response Support Team

I am so sorry to hear this
I am dreading such am email
I have changed my medicare card
FWIW - I have Norton sub for all my devices - I upgraded to an ID support package where they scan dark web for my details ie DOB/phone numbers etc and allocate a support person to proceed with a remedy
It was around$70 tax deductible - maybe magical thinking on my behalf - but what canwe do? I also will be looking at remedies as their contract w us has been breached if they were sloppy w our data

 

[ozstamps]

Got the same worded one to Jaseo5 but from 'AHM'.

At first I assumed it was some scam, as I've never, ever, used Medibank. But his wording was same as mine -

'visit the dedicated page for Medibank and ahm customers.'

Have a recollection I was with AHM maybe 10 or more years back.

Agree with Bill Shorten - 'laws need to be passed so that we all own our old data.'

Close a bank or telco or health or insurance account and these records MUST be destroyed by law. Bog simple. Issue solved then. I'd not have been hacked and not compromised then.

Some outfit I used a decade or more back has no ZERO RIGHT to have all this personal data stored. So that it can be stolen by hackers at any time in the future.