Time’s up in hack attack
’Remain vigilant’: CEO
THE Russian hackers seemingly behind the massive Medibank breach have threatened to expose the data of almost 10 million customers in the next 24 hours if their demands are not met.
Sharing a statement with a quote from Chinese philosopher Confucius, the hackers advised people to sell their Medibank stocks along with issuing an ultimatum to the insurance giant.
“A man who has committed a mistake and doesn’t correct it is committing another mistake. – Confucius,” they wrote. “Data will be published in 24 hours.”
Medibank chief executive David Koczkar declared on Monday the company would not pay any ransom for the data theft that affected almost 10 million current and former policyholders.
Customers face an anxious wait to learn if the cyber criminals – who bought a high-level Medibank login from a Russian online crime forum – will act on their threat to publicly release their medical records and other sensitive information.
“Customers should remain vigilant. We knew the publication of data online by the criminal could be a possibility, but the criminal’s threat is still a distressing development for our customers,” Mr Koczkar said on Tuesday.
“We unreservedly apologise to our customers. We take seriously our responsibility to safeguard our customers and support them.
“The weaponisation of their private information is malicious, and it is an attack on the most vulnerable members of our community.”
Mr Koczkar said he was “devastated” for the customers, saying that they “deserve privacy”. But he said if Medibank caved to the demands of cyber criminals it would make Australia a softer target for repeat attacks.
“This is a significant decision for the business and we’ve had extensive expert advice, and the reality of that advice is that there was a small chance that paying a ransom – you can call it extortion – that it was very unlikely they may return customer data,” he said.
Two law firms announced on Monday they would team up to consider a class-action lawsuit against the company.
Bannister Law Class Actions and Centennial Lawyers are encouraging affected customers to register their interest.
“Medibank has a duty to keep this kind of information confidential,” they said.
“This latest data breach exposes the lack of safeguards in place to prevent such personal and private information being released to wrongdoers and Medibank and ahm have failed policyholders.”
Home Affairs Minister Clare O’neil welcomed Medibank’s decision to not pay, which was “consistent with government advice”.
“I want Australia to be the most cyber-safe country in the world. The payment of ransoms directly undermines that goal,” she said.