Operation Guardian links 11,000 new cyber-crime incidents to Medibank breach

28 Mar 2024, by Slade Baylis

A while ago – back in November of 2022 – we covered the data breaches of Optus, Medibank, and Harcourts - explaining how each of them were preventable by fairly basic changes to their systems and policies.  We wanted to let our readers know that these things aren’t inevitable, but also to provide our readers with the knowledge of what they can do in order to protect themselves from similar types of threats happening to them.

In response to the Optus breach in particular, the Australian Federal Police (AFP)¹ - in a multi-jurisdictional partnership between law enforcement and the private sector – started Operation Guardian to “supercharge the protection” of more than 10,000 customers whose identification credentials had been unlawfully released online. The goal of the operation was to identify and protect the more than 10,000 customers who had more than 100 points of identification stolen.

After the Optus breach, when Medibank had a similar data-breach targeting their customers, the AFP put out another media release², stating that the operation had been expanded to also encompass the customers affected in that breach as well.  Unfortunately, it’s now been revealed that as many as 11,000 cybercrime incidents or more have been linked specifically to the Medibank data breach. 

What is Operation Guardian?

In the days following the Optus breach in late 2022, the government was already moving quickly to help those customers who were affected by it.  As we reported³, state and federal governments had immediately responded by making it easier for those affected to replace identity documents that may have been compromised during the breach.  They were also looking at urgent reform with regards to cyber-crime, with the aim to make it easier to alert organisations, such as banks, as to which customers were at higher-risk or actively compromised. 

As mentioned though, one other action they took was to launch Operation Guardian – which is an ongoing joint partnership between law enforcement, the private sector and industry to combat the growing threat of cybercrime.  The aim of this operation is to offer multi-jurisdictional and multi-layered protection from identity crime and financial fraud, with a priority placed on the 10,000 individuals who potentially had 100 points of identification or more leaked in the breach.

The AFP stated that several methods would be used to help the affected customers, including:

• Identifying the 10,000 individuals across Australia at risk of identity fraud and alerting industry to enable further protection for those members of the public;
• Monitoring online forums, the internet and the dark web for other criminals trying to exploit the personal information released online;
• Engaging with the financial service industry to detect criminal activity associated with the data breach;
• Analysing trends from ReportCyber - the Australian Government's online cybercrime reporting tool - to determine whether there are links between individuals who have been exploited; and
• To identify and disrupt cyber criminals.

The expansion of Operation Guardian to encompass more than just Optus

In the months following the launch of the new operation - in November 2022 - its scope was expanded to encompass more than just the affected Optus customers. This was due to several more high-profile breaches occurring. Whilst not as large as the Optus breach, the Medibank breach – which affected 500,000 customers rather than the over ten million that were affected by the Optus breach – was considered serious enough for the AFP to expand the scope of the operation to also include these affected customers as well. 

It wasn’t the only breach to end up being included, as in March 2023, the operation was further expanded to also include the customers affected by the Latitude Services breach.  They stated that whilst there was no evidence to date that the personal details of Latitude Services customers were available or being sold online, they were already working with public and private sector agencies to “scour the internet and known criminal online sites to identify those who are attempting to buy or sell personally identifiable information (PII)”. 

Unfortunately, customers of Medibank have not been so lucky.  As of March 2024, IT News⁴ has reported that Operation Guardian has linked “over 11,000 cybercrime incidents” to the Medibank data breach specifically. This figure comes from a submission from the Victoria Police to a federal cybercrime inquiry, and it’s not clear whether the figure is just for Victoria alone or for the entire country.  However, it does help demonstrate the scope of the damage that results from these sorts of breaches – which is why it’s vital for organisations to take steps to prevent them.

What can you do to protect yourself?

Within our previous article covering the Optus, Medibank, and Harcourts breaches, we included information about what could have been done to prevent each breach.  We did this to help reassure our readers that although these sorts of data breaches aren’t inevitable, they can be prevented with relatively simple precautions being put in place.

Here are some things that can be done to help protect your organisation from similar types of attacks:

• Verify the identity of your users - The importance of 2FA and MFA
  In the Medibank breach, the attack vector was revealed to have been stolen user credentials who did not have two-factor authentication (2FA) enabled.  It’s for reasons like this that it’s important to enforce security policies like 2FA to help ensure that the person logging in is in fact who they claim to be.
• Secure your data - Allowing for the recovery of your infrastructure and data through backups
  With regards to threats against data specifically, such as ransomware, ensuring that you have a way of recovering data and your systems in the event of a breach is paramount.  With ransomware becoming an ever-growing threat due to how successful it is at extorting money from businesses, making sure you don’t ever get cornered into funding further cyber-crime helps protect you and also others.
• Secure your endpoints – Making sure your devices are protected against modern threats
  With most viruses taking an “infect and move laterally” approach to compromising systems, it’s important to make sure every endpoint on your infrastructure is protected.  By using modern endpoint protection services that rely on behaviour-based and heuristic-based detection⁵ – rather than signature-based antivirus applications – you can stay ahead of modern threats.
• Staff and training - The importance of creating a strong security culture
  With most successful cyber-attacks being ones that target individuals rather than systems, it’s important to make sure your staff are trained on what to look out for and up to date on your security policies.  Especially in light of the dawn of language-model AIs - which have already been utilised by malicious actors to help make phishing attacks harder to spot - this is going to be an even more crucial area that organisations will need to invest in, in order to remain secure. 

For more details on each of these points, we recommend checking out our Concerned about all the recent data breaches? Use these tips to protect yourself! article, as we go into more depth on each of them.

Have any question about how best to secure your systems?

If you have any questions about this article or want to have a chat about how best to secure your infrastructure, let us know!  Each business is different and will require a different strategy and we’ll be able to create a plan that works best for you.

You can contact us via phone on 1300 769 972 (Option #1) to have a chat about your requirements, or alternatively reach out to us via email at sales@micron21.com 

Sources

1, Australian Federal Police, “Operation Guardian delivers specialised protection for Optus customers”, <https://www.afp.gov.au/news-centre/media-release/operation-guardian-delivers-specialised-protection-optus-customers>
2, Medibank, “AFP media release - Operation Guardian expanded to protect stolen information of Australians”, <https://www.medibank.com.au/livebetter/newsroom/post/afp-media-release-operation-guardian-expanded-to-protect-stolen-information>
3, Micron21, “Optus, Medibank, and now Harcourts – If they can be breached, what can you do to prevent it?”, <https://www.micron21.com/blog/optus-medibank-and-now-harcourts-if-they-can-be-breached-what-can-you-do-to-prevent-it> 
4, IT News, “Australian police link "over 11,000 cybercrime incidents" to Medibank breach”, <https://www.itnews.com.au/news/australian-police-link-over-11000-cybercrime-incidents-to-medibank-breach-606023>
5, Micron21, “With 80% of malware evading antivirus applications, signature-based protection isn’t enough anymore”, <https://www.micron21.com/blog/with-80-of-malware-evading-antivirus-applications-signature-based-protection-isn-t-enough-anymore>