A band of Russian hackers has begun posting customer data from Australia’s largest health insurer, Medibank, on the dark web.
Hundreds of names, addresses, birthdates and Medicare details were being posted under ‘good-list’ and ‘naughty-list’ on a blog belonging to the group on Wednesday morning.
The hackers had demanded a ransom to stop them from releasing the data, but Medibank earlier this week said it would not pay it because it would encourage further crime.
Shortly after midnight, the group posted the first lists and warned it is about to drop even more but they ‘need some time’.
‘Looking back that data is stored not very understandable format (table dumps) we’ll take some time to sort it out,’ they said.
‘We’ll continue posting data partially, need some time to do it pretty.’
The hackers appeared to have revealed screenshots of private messages recently exchanged between themselves and Medibank representatives
The hackers also appeared to have revealed screenshots of private messages recently exchanged between themselves and Medibank representatives.
Medibank has previously confirmed almost 500,000 health claims were stolen by the hackers, along with personal information, when the unnamed group hacked into its system weeks ago.
Around 9.7 million current and former customers have been affected.
No credit card or banking details were accessed.
On Tuesday, the ransomware group posted to its blog that ‘data will be publish (sic) in 24 hours’.
‘P.S. I recommend to sell (sic) medibank stocks.’
Hundreds of names, addresses, birthdates and Medicare details were being posted under ‘good-list’ and ‘naughty-list’ on a blog belonging to the group
Medibank apologised again to clients past and present on Tuesday. It advised customers to be alert for any phishing scams via phone, post or email.
‘We knew the publication of data online by the criminal could be a possibility but the criminals’ threat is still a distressing development for our customers,’ CEO David Koczkar said on Tuesday.
He said he was ‘devastated’ for customers, who ‘deserve privacy’, but said if Medibank gave in to the demands of the criminals it would make Australia a target for more such attacks.
‘This is a significant decision for the business and we’ve had extensive expert advice and the reality of that advice is that there was a small chance that paying a ransom – you can call it extortion – that it was very unlikely they may return customer data,’ Mr Koczkar told The Australian.
‘In fact, you just can’t trust a criminal.’
The hackers posted a bizarre meme (pictured) as they threatened to release the personal data of millions of Australia in 24 hours unless Medibank pays up
Mr Koczkar said not paying the hackers is ‘consistent with the government policy on paying ransom, so that’s why we’ve made the decision we have to not pay a ransom’.
Home Affairs Minister Clare O’Neil confirmed that Medibank’s decision not to pay a ransom to cyber criminals was in line with government advice.
She said she ‘doesn’t have words to express the disgust’ she feels over the leaking of people’s personal details.
‘The fact that personal health information is being held over their head is just disgusting to me,’ she said on Wednesday.
‘It just shows us that these cyber criminals who we are joined in a fight against between the Five Eyes (Australia, Canada, New Zealand, UK, US) and other friends of partners around the world, they are just disgraceful human beings and we need to step up and do everything we can to fight back against them.’
Ms O’Neil said she wants ‘Australia to be the most cyber-safe country in the world. The payment of ransoms directly undermines that goal.
‘The Australian government, after a wasted decade for digital reform, is stepping up on cyber security and ransomware … we see and recognise the urgent need to address the conditions that have allowed the two largest cyber attacks in our history to occur within the space of two months.’
Assistant treasurer Stephen Jones also blasted the hackers on Wednesday.
‘They’re scumbags, they’re crooks, they’re criminals and we shouldn’t be paying ransom,’ he told Sky News.
‘We shouldn’t be giving in to these fraudsters. The moment we fold it sends a green light to scumbags like them throughout the world that Australia is a soft target. We cannot give in and we won’t give in.’
Mr Jones said Australia needed to quickly lift protection against cyber threats.
Medibank is not alone in refusing to pay a ransom demand, with a recent report finding only 19 per cent of Australian companies responded to ransomware attacks by paying the fee.
Medibank has repeatedly apologised to clients past and present but said it would not pay the ransom
Mimecast’s 2022 State of Ransomware Readiness report found 20 per cent of companies were asked to pay between $500,000 and $999,999 for their information.
Thirteen per cent of the businesses surveyed said the total cost of the ransomware attacks they’d experienced was between $1million and $2million.
At a Senate estimates hearing on Tuesday, Australian Federal Police commissioner Reece Kershaw told businesses to make sure they contact authorities as early as possible if they suspect a possible data breach.
With the FBI now helping the AFP track down those behind the Medibank and Optus data breaches, Mr Kershaw said investigating would be long and complex.
‘The longer it takes relevant agencies to be informed, the harder it is for perpetrators to be identified, disrupted or brought to justice,’ he told senators.
Medibank data hack timeline
October 13: Medibank took the data and policy systems of its budget provider, ahm, and its international student division offline after a ‘cyber incident’
October 14: Medibank said it had restored its systems and said it was ‘still responding’ to the incident
October 19: The company disclosed to the Australian stock exchange that hackers had contacted it to ‘negotiate’ over 200 gigabytes of customer data stolen from Medibank’s systems
October 26: Medibank confirmed the hackers behind its ‘devastating’ data breach managed to access all of its customers’ private health records
October 27: It emerged that Medibank faced costs of up to $30million after it was revealed it had no insurance to protect itself from a cyber attack
November 8: Cyberhackers threatened to expose the personal data of millions of Australians unless Medibank paid up within 24 hours. The company refused to pay, saying ‘you just can’t trust a criminal’
November 9: The ransomware group began posting client data stolen from Australia’s largest health insurer on the dark web