Medibank hit with sell-offs as company says no data lost in cyberattack; no signs of ‘state-based’ actor

After issuing a trading halt last Friday, one day after the company revealed it had been hit with a cyberattack, Medibank (ASX:MPL) has today reported no customer data was lost in the incident and that business momentum will not be impeded. 

While Medibank was arguably dragged down by the broader market today, the -4.2% fall in lunchtime trades, which eclipsed falls on the S&P/ASX 200 Financials Index—down around -1%—suggests the stock is suffering from an overhang relating to last week's security breach.

Reuters forecast Asia Pacific markets would tank today as a contrarian rally witnessed last week failed to withstand into this week the USA’s 40-year high core inflation read. So, factor some of that in.

Medibank ultimately concludes today the cyberattack had all the calling cards of a ransomware attack and implies entities responsible attempted to install ransomware software onto its network, but ultimately failed. 

Sentiment will need time to regain confidence 

The fact of that failure has not done enough to recover sentiment for the stock at lunch. 

There is a geopolitical consideration hinted at in one line buried in Medibank’s announcement today: “there is no indication that the incident was caused by a state-based threat actor.”

If you’re reading in between the lines, they’re dogwhistling that the governments of China, Russia, and or North Korea were not involved; the three players most frequently suspected of state-sponsored cyber warfare attacks on Western companies. 

So, that’s good. 

Also worth noting is that the company says it immediately shut down its international student customer database once it identified unusual activity on its IT systems, in an “abundance of caution.” 

Why, exactly, Medibank ran to shut down its international student customer database, is not entirely clear.

What is a ransomware attack?

Ransomware attacks are a specific type of cyberattack wherein: 

• An attacker gains access to a company’s network 

• The attacker installs a program that encodes all company data, leaving it unreadable by company operators 

• The company will then be given notice of a payment, usually in the millions of dollars, if it wants to get access to its own data back 

In one particularly high-profile incident, in May last year, NYSE-listed US energy player Colonial Pipeline was hit with a ransomware attack demanding lots of money in bitcoin in exchange for a return of the data. 

The move was not taken lightly. The US government response was so voluminous, in fact, the White House issued a fact sheet (read: press release) outlining all the steps it had taken to mitigate the situation. Even Homeland Security got involved, though, the incident didn’t really change the trajectory of Colonial’s share price in any meaningful sense. 

Intel on how incident occurred to become clear

“I thank our customers for their patience during this incident,” Medibank CEO David Koczkar said, “and ongoing investigations continue to show no evidence customer data has been removed.” 

“I would like to thank the Australian Cyber Security Centre, regulators and departments who supported our response.” 

“We will also share technical information with peers across the industry as part of our commitment to helping others understand how this incident transpired.” 

A look at Medibank's three month charts; one month returns are down -5%