Hacker threatens release of Medibank data

Luke Costin and Alex Mitchell | November 8, 2022

The clock is ticking for Medibank to pay a ransom fee or a ransomware group will release the client data it’s stolen from Australia’s largest health insurer, the hackers claim.

Medibank has confirmed almost 500,000 health claims were accessed along with personal information when an unnamed group hacked into its system weeks ago.

At about midnight AEDT on Tuesday, a ransomware group posted to its dark web blog that “data will be publish (sic) in 24 hours”.

“P.S. I recommend to sell (sic) medibank stocks.”

The post did not include data samples to back up the threat.

“This is horrendous but not unsurprising if you look at ransomware like a business,” cybersecurity expert Troy Hunt said on Twitter on Tuesday.

“If they *don’t* dump the data publicly, what message does that send to future customers?”

Medibank, which this week said paying a ransom would encourage further crime, apologised again on Tuesday.

It advised customers to be alert for any phishing scams via phone, post or email.

“We knew the publication of data online by the criminal could be a possibility but the criminal’s threat is still a distressing development for our customers,” chief executive David Koczkar said on Tuesday

Home Affairs Minister Clare O’Neil said Medibank’s decision not to pay a ransom to cyber criminals was in line with government advice.

Medibank is certainly not alone in refusing to pay a ransom demand, with a recent report finding 19 per cent of Australian companies responded to ransomware attacks by paying the fee.

Mimecast’s 2022 State of Ransomware Readiness report found 20 per cent of companies were asked to pay between $500,000 and $999,999 for their information

Some 13 per cent of the businesses surveyed said the total cost of the ransomware attacks they’d experienced was between $1 million and $2 million.

Appearing at a Senate estimates hearing on Tuesday, Australian Federal Police commissioner Reece Kershaw fired a warning at businesses to ensure they contacted authorities as early as possible when a data breach might be occurring.

With the FBI now helping the AFP track down those behind the Medibank and Optus data breaches, Mr Kershaw said the long and complex investigations would use significant resources.

“It’s like any crime scene,” he said.

“The longer it takes relevant agencies to be informed, the harder it is for perpetrators to be identified, disrupted or brought to justice.”

Meanwhile, two law firms, including one behind a successful case involving an NSW Ambulance data breach, say they believe Medibank betrayed customers and breached the Privacy Act by not stopping the hack.

The insurer faces a possible class action over the hacking of the 9.7 million current and former customers.

“This latest data breach exposes the lack of safeguards in place to prevent such personal and private information being released to wrongdoers and Medibank and Ahm have failed policyholders in these circumstances,” Bannister Law and Centennial Law said in a statement late on Monday.

No case has been filed with a court.

The hacker accessed the health claims of about 160,000 Medibank customers, about 300,000 claims from customers of offshoot Ahm and about 20,000 international customers.

Names, dates of birth, addresses, phone numbers and email addresses were also accessed, raising concerns about future identity fraud.

No credit card or banking details were accessed.