Pages

Thursday, December 01, 2022

Medibank hackers dump entire data set

 More Medibank customer data released onto dark web. Has everything now been released?


Medibank hackers dump entire data set

Share

Russian criminals who stole the personal information of about 10 million Australians from Medibank have dumped a series of very large files, believed to be filled with sensitive customer data on the dark web.

In a message attached to the data files, the hackers declared “case closed”.
“Happy Cyber Security Day!!! Added folder full. Case closed,” the group wrote on their dark web blog.

Criminals have allegedly posted all the data stolen online. Steven Siewert

The smallest file, which has been viewed by The Australian Financial Review, contains 50 spreadsheets each with hundreds or thousands of entries.

Medibank said in a statement that it was aware of the release and “we are in the process of analysing the data, but the data released appears to be the data we believed the criminal stole”.

The health insurer says it expects to see more data being released.

While our investigation continues there are currently no signs that financial or banking data has been taken. And the personal data stolen, in itself, is not sufficient to enable identity and financial fraud. The raw data we have analysed today so far is incomplete and hard to understand,” it said.

Medibank chief executive David Koczkar said the organisation was not treating the issue as “case closed” as the hacker suggested.

“We are remaining vigilant and are doing everything we can to ensure our customers are supported. It’s important everyone stays vigilant to any suspicious activity online or over the phone,” he said.

“Anyone who downloads this data from the dark web, which is more complicated than searching for information in a public internet forum and attempts to profit from it is committing a crime.”

Mr Koczkar apologised again, and said the health insurer would support its customers, including mental health, wellbeing support, identification protection, financial hardship measures, and its call hours would be extended.

Class action law firm Maurice Blackburn has lodged a formal complaint with the Office of the Australian Information Commissioner, which can order Medibank to pay affected customers.

The complaint alleges Medibank failed in its duties to not taking steps to protect the privacy of its customers’ personal information and sensitive health data from unauthorised access and exposure.

“The disclosure of personal information, particularly the nature of the information held by Medibank, has caused millions of Australians significant distress. The right to privacy is a fundamental human right, and the representative complaint to the Australian Information Commissioner offers an avenue of redress to the millions affected by this incident,” Maurice Blackburn principal lawyer Andrew Watson said.

“We cannot undo the damage that has been caused in this data breach, but we can ask the Commissioner to investigate the data breach and seek compensation from Medibank on behalf of those affected, including for financial or non-financial loss, such as humiliation, stress, and feelings of anxiety.”

Government Services Minister Bill Shorten labelled the development “shocking” and the hackers “absolute criminal lowlifes” during a morning interview on ABC RN Breakfast.

“If people think that any government ID has been in any way breached or they’re aware of it, contact us. When it comes to things like your Medicare card, we will replace it.”

Mr Shorten said it was disturbing all the data was out now, and the government was focused on protecting individuals who have had sensitive medical information posted online.

With financial information, a victim can cancel a credit card or put a credit lock on it, but with medical information, it is simply out there.

The criminals began publicly leaking the data in early November.

Information posted to the dark web, seen by the Financial Review, includes WhatsApp messages on October 18 at 10.38pm allegedly from the hackers to Mr Koczkar revealing the so-called “naughty list”, in which the customer details were first shared.

Mr Koczkar previously said Medibank had no idea any customer data had been stolen until it was sent to the insurer, but has continued to say its systems are robust. The information was obtained after a criminal stole a password and username from someone with the ability to gain access to all of Medibank’s customer data.

Medibank was forced to say the data of 9.7 million Australians, including people who could be in significant danger if their information was misused, had been stolen.

In mid-November, the Australian Federal Police said it had identified some of the individuals responsible and would pursue them, with experts suggesting Interpol was most likely to intercept the criminals if they tried to leave Russia or if they were located in another country.

The hackers are believed by experts to be linked to Russia-backed cybercrime gang REvil. They were one of the most notorious cybercrime gangs in the world. Then, after drawing too much heat from US President Joe Biden over an attack of software business Kaseya in July 2021, they disappeared.

Max Mason covers courts, insolvency, regulation, financial crime, cybercrime and corporate wrongdoing. He joined the masthead in 2013 and has held a number of roles, including media editor and telecommunications reporter. He is based in Sydney.Connect with Max on Twitter. Email Max at max.mason@afr.com
Ayesha de Kretser is a Senior Financial Services Reporter with The Australian Financial ReviewConnect with Ayesha on Twitter. Email Ayesha at ayesha.dekretser@afr.com.au
John Davidson is an award-winning columnist, reviewer, and senior writer based in Sydney and in the Digital Life Laboratories, from where he writes about personal technology. Connect with John on Twitter.Email John at jdavidson@afr.com