Russian Hackers Who Attacked Australia’s Largest Medical Insurer Release Massive 6.5 Gigabytes of Stolen Data

Russian Hackers Who Attacked Australia’s Largest Medical Insurer Release Massive 6.5 Gigabytes of Stolen Data
People walk past a Medibank store on Elizabeth Street in Melbourne, Australia, on Nov. 10, 2022. AAP Image/Diego Fedele
Rebecca Zhu
Updated:

The Russian cybercriminals that stole personal data from nearly 10 million Australians have released the single largest data dump to date, announcing it was “case closed” for the Medibank hacking saga.

Six zipped folders, with around 6.5 gigabytes of raw data in a folder called “full” was published by the hacking group on Thursday.

A message on their dark web blog, attached with the stolen data, read, “Happy Cyber Security Day!! Added folder full. Case Closed.”

Up until Thursday, the stolen personal data had been released continuously in tiny batches.

Medibank, Australia’s largest health insurer, said they were aware of the latest data dump and expected the continued release of even more files.

David Koczkar, Medibank CEO, said that for the company, the work of handling the aftermath “is not over.”

“We are remaining vigilant and are doing everything we can to ensure our customers are supported. It’s important everyone stays vigilant to any suspicious activity online or over the phone,” he said.

“We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program. This includes mental health and wellbeing support, identity protection and financial hardship measures.”

Koczkar warned that anyone who downloaded this data from the dark web and attempted to profit from it was committing a crime.

“The Australian Federal Police have said law enforcement will take swift action against anyone attempting to benefit, exploit or commit criminal offences using stolen Medibank customer data,” he said.

Medibank’s initial analysis of the data found that the newly released  data appeared to be stolen data but was “incomplete and hard to understand.”

“For example, health claims data released today has not been joined with customer name and contact details,” the company said.

Koczkar also offered another apology to customers, and advised that concerned customers would be able to receive support from its cybercrime and mental health hotlines.

The company has also extended call centre hours and upgraded call centre security with two-factor authentication.

“Again, I unreservedly apologise to our customers,” Koczkar said.

“We remain committed to fully and transparently communicating with customers, and we will continue to contact customers whose data has been released on the dark web.”

Medibank signage sits on top of the Medibank building in Docklands, Melbourne, Australia, on Oct. 1, 2014. (Scott Barbour/Getty Images)
Medibank signage sits on top of the Medibank building in Docklands, Melbourne, Australia, on Oct. 1, 2014. Scott Barbour/Getty Images

It comes after the Australian Prudential Regulation Authority (APRA) announced it had intensified its supervision of Medibank.

APRA member Suzanne Smith said they would consider whether further regulatory action would be needed following an external review to be conducted by a third party.

“Cyber security is a highly significant risk area for all regulated entities, and we remind banks, insurers and superannuation funds to remain vigilant in order to protect their beneficiaries and the Australian community,” she said on Monday.

Who Was Affected?

The company warned customers that the hackers accessed the name, dates of birth, addresses, medicare numbers, phone numbers and email addresses of around 9.7 million current and former customers, including around 5.1 million Medibank customers, 2.8 million ahm health insurance customers, and 1.8 million international customers.

Australian health claim data for around 160,000 Medibank customers, around 300,000 ahm customers, and around 20,000 international customers, including service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered, was also breached.

However, credit card and banking details, as well as data on health claims for dental, physiotherapy, optical and psychology, were not breached, the company said.

Medibank previously notified customers that it would not give in to the cyber hacker’s ransom demands based on extensive advice from experts and the Australian government.

“We believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Koczkar said.

“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”

After releasing the health data of 200 people, the hacker demanded a ransom of US$10 million ($15 million) in return for not publishing any more data.
Meanwhile, the health insurer is facing legal action from law firm Maurice Blackburn, which has lodged a representative complaint against Medibank to the Office of the Australian Information Commissioner (OAIC).
OAIC also launched an investigation into Medibank’s practices in holding and protecting personal information.
Victoria Kelly-Clark contributed to this report.
Related Topics