October 20, 2022
Hackers claiming to have stolen reams of data from Medibank Private have threatened to sell confidential customer information, including sensitive health conditions and credit card details, unless the insurer pays it a ransom.
In a message obtained by this masthead, the hacking group claims to have stolen 200 gigabytes of sensitive information from Medibank, and threatens to contact its 1000 most prominent customers with their own personal information as a warning shot. This masthead was unable to verify the authenticity of the claims but in a response to questions on Wednesday afternoon, Medibank acknowledged it had received a threat and was taking it seriously.
The message to Medibank, obtained by The Sydney Morning Herald and The Age, makes a series of ultimatums in broken English.
“We offer to start negotiations in another case we will start realizing our ideas like 1. Selling your Database to third parties 2. But before this we will take 1k most media persons from your database (criteria is: most followers, politicians, actors, bloggers, LGBT activists, drug addictive people, etc) Also we’ve found people with very interesting diagnoses. And we’ll email them their information.”
Medibank, which has 3.9 million customers, first disclosed the hack last week and initially said there was no evidence any sensitive customer data had been accessed. The purported threat to release sensitive customer information, including health records, represents a significant escalation in the recent wave of cyberattacks against Australian companies.
Telco giant Optus was recently hit by the biggest cyberattack in Australian history, and a string of other companies have been affected by the issue in recent weeks, including wine retailer Vinomofo and Woolworths’ MyDeal website.
Hackers routinely demand ransoms for the return or deletion of stolen information but payment is no guarantee that they will follow through, given the criminal nature of their actions.
Trading in Medibank shares was halted on Wednesday but the company issued an update on the situation to the ASX after the market close confirming it had been approached by a group alleging to have stolen data and wanting to open negotiations.
“Medibank is working urgently to establish if the claim is true, although based on our ongoing forensic investigation we are treating the matter seriously at this time,” the statement reads. “As a health company providing health insurance and health services, Medibank holds a range of necessary personal information of customers.”
Medibank chief executive David Koczkar said in the statement that the company was prioritising transparency and its team was working around the clock to protect customers and staff.
“I apologise and understand this latest distressing update will concern our customers,” Koczkar said. “We have always said that we will prioritise responding to this matter as transparently as possible.”
The wave of cyberattacks on corporate Australia has thrust the issue into the national spotlight. It has prompted the government to promise urgent reform that could increase fines for privacy breaches.
On Tuesday last week, Medibank detected unusual activity on its network, contacted authorities and took its ahm brand and international student policy systems offline as a defensive measure. The systems were restored days later and the company initially stressed it had no evidence that sensitive information had been accessed.
As recently as Monday this week, Medibank said: “There remains no evidence customer data has been removed from the network” but it added that its “investigation continues”.
Cybersecurity Minister Clare O’Neil’s office released a statement on Wednesday night.
“A significant cybersecurity incident has occurred within Medibank. The facts are continuing to be established,” she said.
The minister said she had spoken to the company’s chief executive, the Australian Federal Police and the Australian Signals Directorate.
“Medibank is cooperating with government in responding to this incident,” O’Neil said.
Federal opposition cyber spokesman James Paterson said the government should tell Australians what steps they had taken to address the incident.
“If verified, these threats are incredibly serious and will be of great concern to Medibank customers who were previously assured by the company that sensitive information of this nature was not lost,” Paterson said.