Hackers raise the stakes
Medibank deplores malicious release
THE Russian criminal group claiming to be behind the theft of sensitive information relating to almost 10 million Medibank customers has escalated its distribution of the data, disclosing hundreds of procedures including the termination of non-viable pregnancies.
The disclosure of more information – following the release of two documents titled the “naughty” and “nice” lists on Wednesday – comes after the country’s largest health insurer refused to pay a ransom demanded by the hackers.
Medibank admitted on October 19 that hackers had stolen the information of 9.7 million customers and wished to negotiate a ransom.
It was reported on Wednesday that the company had entered into lengthy discussions with the hackers, known as REvil, but later abandoned them.
One of the purported hackers – named for a villain from the Saw film franchise – in a message said the group had asked for a $US10m ransom ($A15.6m).
On Thursday, Medibank chief executive David Koczkar said the release of the latest batch of information was “disgraceful”.
“We remain committed to fully and transparently communicating with customers, and we will be contacting customers whose data has been released on the dark web,” Mr Koczkar said.
“The weaponisation of people’s private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community.
“These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care.”
The new information contained a spreadsheet with the names and personal details of 303 patients and policyholders, along with the billing codes relating to pregnancy terminations.
Dozens of international students have also had their email addresses, policy numbers and phone numbers leaked online in a separate file.
On Wednesday, the Australian Federal Police said they would expand their investigation into an earlier data breach affecting Optus customers to include the Medibank incident.
The AFP said in a statement it was “aware that distressing and very personal information has been released on the dark web” and had immediately taken measures, including “covert techniques”, to identify further criminal activity.
“This is not just an attack on an Australian business. Law enforcement agencies across the globe know this a crime type that is borderless and requires evidence and capabilities to be shared,” AFP assistant commissioner Justine Gough told reporters.
“Blackmail is an offence and those who misuse stolen personal information for financial gain face a penalty of up to 10 years’ imprisonment.”