Hackers label victims ‘naughty’ or ‘nice’ as medical records leaked after huge Australia data breach
- The sensitive medical records of some 9.7 million Medibank customers have been held for ransom by hackers since being stolen earlier this year
- On Wednesday, the health insurer told investors that a ‘sample’ of the data had been posted on a ‘dark web forum’ – and that more leaks were likely
Medibank told investors that a “sample” selection of customer data from some 9.7 million clients had been posted on a “dark web forum” on Wednesday after it refused to pay a ransom demand.
The data included names, birth dates, passport numbers and information on medical claims for hundreds of customers who were separated into “naughty” and “nice” lists.
Some on the “naughty” list had numeric codes that appeared to link them to drug addiction, alcohol abuse and HIV infection.
For example, one record carried an entry that read: “p_diag: F122”.
F122 corresponds with “cannabis dependence” under the International Classification of Diseases, published by the World Health Organization.
Medibank is Australia’s largest private health insurer and the hack is likely to include some of the country’s most influential and wealthy individuals.
Prime Minister Anthony Albanese, himself a Medibank customer, said the attack was a “wake-up call” for corporate Australia.
The perpetrator of the hack has not yet been publicly identified. But the Australian Federal Police’s Justine Gough said it was the work of a “criminal or criminal groups” that could be operating outside the country.
Medibank informed the Australian Securities Exchange about the leak shortly before the market opened.
“The files appear to be a sample of the data that we earlier determined was accessed by the criminal,” the company said in a statement.
“We expect the criminal to continue to release files on the dark web.”
“P.S I recommend to sell Medibank stocks,” the purported hackers wrote on the forum about 24 hours before the first batch of data was released.
With the political backing of Australia’s federal government, Medibank on Tuesday refused the demand – instead warning customers to remain “vigilant”.
“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Medibank boss David Koczkar said.
The group also uploaded what they said were a series of exchanges between themselves and Medibank representatives.
“We will do everything in our power to inflict as much damage as possible for you, both financial and reputational,” one message read.
The security breach has already wiped hundreds of millions of US dollars off Medibank’s market value, with the company’s share price down over 20 per cent since October, when news of the leak first emerged.
Justine Gough, assistant commissioner of the Australian federal police’s Cyber Command, said the “criminal or criminal groups” responsible for the hack could be operating outside of Australia.
“We shouldn’t be giving in to these fraudsters,” he told Sky News Australia. “The moment we fold, it sends a green light to scumbags like them throughout the world that Australia is a soft target.”
As Medibank scrambles to contain the leak, it is also staring down the barrel of a potentially costly class-action lawsuit.
Two law firms said on Tuesday they had joined forces to investigate whether Medibank had breached its obligations to customers under the country’s Privacy Act.