Ransomware group threatens to publish Medibank data ‘in 24 hours’
A ransomware group has threatened to release Medibank client data as Australia’s largest health insurer faces a possible class action over the hacking of sensitive information for 9.7 million current and former customers.
Medibank has confirmed almost 500,000 health claims were accessed and the personal details of former and current customers were exposed when an unnamed group hacked into its system weeks ago.
Around midnight, a ransomware group posted to its dark web blog that “data will be publish (sic) in 24 hours”.
“P.S. I recommend to sell (sic) medibank stocks.”
The post did not include data samples to back up the threat.
“This is horrendous, but not unsurprising if you look at ransomware like a business,” cybersecurity expert Troy Hunt said on Twitter on Tuesday.
“If they *don’t* dump the data publicly, what message does that send to future ‘customers’?”
- Related story: Ransom warning for Medibank customers
Tweet from @Jeremy_Kirk
Medibank chief executive David Koczkar on Monday said paying a ransom could make Australia a bigger target for data thefts by giving criminals an incentive.
“Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” he said.
Home Affairs Minister Clare O’Neil said Medibank’s decision not to pay a ransom to cyber criminals was in line with government advice.
Appearing at a Senate estimates hearing on Tuesday, Australian Federal Police commissioner Reece Kershaw fired a warning at businesses to ensure they contacted authorities as early as possible when a data breach might be occurring.
With the AFP launching operations to tackle both the Medibank and Optus data breaches, Mr Kershaw said the long and complex investigations would use significant resources.
“Apart from sending a warning to cyber criminals that the AFP will relentlessly pursue them, I also have a message to business: please alert authorities immediately when a data breach is suspected,” he said.
“It’s like any crime scene. The longer it takes relevant agencies to be informed, the harder it is for perpetrators to be identified, disrupted or brought to justice.”
Meanwhile, two law firms, including one behind a successful case involving an NSW Ambulance data breach, say they believe Medibank betrayed customers and breached the Privacy Act by not stopping the hack.
“Medibank has a duty to keep this kind of information confidential,” Bannister Law and Centennial Law said in a statement late on Monday.
“This latest data breach exposes the lack of safeguards in place to prevent such personal and private information being released to wrongdoers and Medibank and Ahm have failed policyholders in these circumstances.”
The law firms will investigate the terms of the contracts the medical insurance provided to customers and whether damages are appropriate.
No case has been filed with a court.
The hacker accessed the health claims of about 160,000 Medibank customers, about 300,000 claims from customers of offshoot Ahm and about 20,000 international customers.
Names, dates of birth, address, phone numbers and email addresses were also accessed, raising concerns about future identity fraud.
No credit card or banking details were accessed.
-AAP