A ransomware group has threatened to release Medibank customer data as Australia’s largest health insurer faces a possible class action after the data of 9.7 million current and former customers was hacked, in what the health insurer has described as a distressing development.
Medibank has confirmed almost 500,000 health claims were accessed and the personal details of former and current customers were exposed when an unnamed group hacked into its system weeks ago.
Around midnight, a ransomware group posted to its darknet blog that “data will be publish in 24 hours”.
“P.S. I recommend to sell medibank stocks.”
The post did not include data samples to back up its threat.
Medibank chief executive, David Koczar, did not confirm whether the group was the same as the one the company had been in communications with, but said in a statement on Tuesday that it was a “distressing development”.
“Customers should remain vigilant. We knew the publication of data online by the criminal could be a possibility, but the criminal’s threat is still a distressing development for our customers,” he said.
“This is horrendous, but not unsurprising if you look at ransomware like a business,” cybersecurity expert Troy Hunt said on Twitter on Tuesday.
“If they *don’t* dump the data publicly, what message does that send to future ‘customers’?”
The threat was posted on a site linked to the REvil Russian ransomware group, which was believed to have been taken down in October last year, but the group’s website resurrected in April this year linking to the site where the Medibank threat has been posted.
Threat analyst Brett Callow told Guardian Australia that REvil “was brash and often taunted its victims” so the post also linking to a satire video about the Medibank data breach by ABC comedian Mark Humphries is consistent with their style.
Koczkar said on Monday that paying a ransom could make Australia “a bigger target” for data thefts by giving criminals an incentive.
“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” he said.
The home affairs minister, Clare O’Neil, said Medibank’s decision not to pay a ransom to cyber criminals was in line with government advice.
Meanwhile, two law firms, including one behind a successful case involving an Ambulance NSW data breach, say they believe Medibank betrayed customers and breached the Privacy Act by not stopping the hack.
after newsletter promotion
“Medibank has a duty to keep this kind of information confidential,” Bannister Law and Centennial Law said in a statement late on Monday.
“This latest data breach exposes the lack of safeguards in place to prevent such personal and private information being released to wrongdoers and Medibank & ahm have failed policyholders in these circumstances.”
The law firms will investigate the terms of the contracts the medical insurance firm provided to customers and whether damages are appropriate.
No case has been filed with a court.
Affected customers can register on the law firms’ websites.
The hacker accessed the health claims of about 160,000 Medibank customers, about 300,000 claims from offshoot ahm customers, and about 20,000 international customers.
Names, dates of birth, address, phone numbers and email addresses were also accessed, raising concerns about future identity fraud.
No credit card or banking details were accessed.