The alleged hacker behind the Medibank data breach has demanded US$10 million for not releasing more customers’ personal information after posting 200 users’ health data on the dark web.
On early Thursday morning, the hacker posted a message on a dark web blog linked to the REvil Russian ransomware group, claiming:
“Society asks us about ransom; it’s a 10 million [sic] USD. We can a=make discount 9.7m 1$=1 customer.”
“Medibank [sic] CEO stated, that ransom amount is ‘irrelevant.’ We want to inform the customer that He refuses to pay for yours [sic] data more, like 1 USD per person. So, probably customers data and extra efforts don’t cost that.”
The data leak took place after Australia’s largest health insurer refused to pay a ransom.
The health insurance company confirmed that almost 500,000 health claims were stolen, while some 9.7 million current and former customers have been affected. However, Medibank said no credit card or banking details were accessed.
Medibank chief executive David Koczkar said Medibank took the responsibility to secure customer data seriously and “unreservedly apologise” to its customers.
“We remain committed to fully and transparently communicating with customers, and we will be contacting customers whose data has been released on the dark web,” he said.
“The weaponisation of people’s private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community.”
“These are real people behind this data, and the misuse of their data is deplorable and may discourage them from seeking medical care.”
Home Affairs Minister Clare O’Neil said Medibank made the right decision in not paying a ransom, which was consistent with the government’s policy.
“Cyber criminals cheat, lie and steal,” she said.
“We urge people who may be affected to be on high alert for attempts by cybercriminals to extort individuals over their personal information.”
“Do not assume that anyone who contacts you has access to your data or that paying a ransom will protect your data privacy.”
“Cyber criminals commit to undertaking actions in return for payment, but so often re-victimise companies and individuals.”
Medibank has suggested that customers should be aware of phishing scams via phone, post or email. The company urged affected customers to report the scams immediately to the Australian Cyber Security Centre website or via ScamWatch and encouraged concerned clients to call Medibank contact centres.
The health insurer also reiterated on Thursday that it would never contact customers to ask for passwords or sensitive information.