Hackers dump the lot
Medibank’s clean-up work ‘is not over’
RUSSIAN hackers have dumped the entire cache of stolen Medibank data on the dark web, declaring the attack “case closed”.
But the health insurer’s chief executive, David Koczkar, says its “work is not over” in cleaning up Australia’s biggest cyber heist.
The hacking group, known as REvil, published the single biggest folder of stolen data on the dark web, after previously having drip-fed the release of customer health records relating to pregnancy terminations, drug and alcohol abuse and mental-health conditions.
Given the size of the latest file, 6.5 gigabytes, Medibank said it continued to work through the data to confirm it is the information stolen from its systems. The data of almost 10 million customers was exposed during the cyber assault.
Early indications are that it is, though the hackers have not matched some of the information with the names of customers, as they had in previous instances.
Mr Koczkar said the data appeared to be the customer information, but said it was “incomplete and hard to understand”. Crucially, in what may come as a relief to millions of Medibank customers, he said the data was not sufficient to enable fraud.
“While there are media reports of this being a signal of ‘case closed’, our work is not over,” Mr Koczkar said.
“While our investigation continues, there are currently no signs that financial or banking data has been taken. And the personal data stolen, in itself, is not sufficient to enable identify and financial fraud.”
As the hackers were dumping the entire cache of stolen data, Melbourne-based law firm Maurice Blackburn launched compensation claim for those who had their information exposed in the attack.
Under the Privacy Act, companies that do not take reasonable steps to protect the personal information of clients face penalties, including fines, and consumers may also be compensated for privacy breaches.
Maurice Blackburn has lodged a representative complaint with the Office of the Australian Information Commissioner (OAIC) against Medibank, alleging the health insurer failed to safeguard its customers’ data.
Maurice Blackburn principal lawyer Andrew Watson said the OAIC offered “an avenue of redress to the millions affected by this incident”.
“The disclosure of personal information, particularly the nature of the information held by Medibank, has caused millions of Australians significant distress,” Mr Watson said.
“The right to privacy is a fundamental human right.
“We cannot undo the damage that has been caused in this data breach, but we can ask the (OAIC) commissioner to investigate the data breach and seek compensation from Medibank on behalf of those affected, including for financial or non-financial loss, such as humiliation, stress, and feelings of anxiety.”
Mr Koczkar said the health insurer was supporting its customers, including offering “financial hardship measures”.
“We are remaining vigilant and are doing everything we can to ensure our customers are supported,” he said. “It’s important everyone stays vigilant to any suspicious activity online or over the phone.
“We will continue to support all people who have been impacted by this crime.”