Companies have a few options when it comes to detecting unauthorized access of files, which may have helped catch the attack before a significant amount of customer data was exfiltrated in this case. Canary tokens can be leveraged to create files that appear highly valuable but create an alert when accessed. Companies can also implement canary accounts, baiting attackers into logging into accounts that trigger an alert on a successful login, that appear to be used for accessing critical data. Many data classification solutions also offer restrictions on the times during which groups of users can access data, and can help provide a behavioral baseline on what normal usage looks like to identify abnormal access. Netflow data can also be used to establish a baseline of network traffic to better identify data exfiltration or command and control (C2) traffic.
https://thehackernews.com/2022/11/medibank-refuses-to-pay-ransom-after-97.html
https://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-release-stolen-medibank-data/
