The alleged hackers who stole the personal data of all Medibank Private customers (past and present) released, in the early hours of the morning on December 1, a huge file on the dark web.
The criminals posted on the dark web, “Happy Cyber Security Day!!! Added folder full. Case closed.”
The file attached with the cryptic message, was titled “Full” and is more than 6 gigabytes; much larger than all previous files the hackers have uploaded previously.
Many are concerned that the file contains all of the data the hackers accessed during the Medibank data breach and that they’ve uploaded everything because Medibank consistently refused to pay them a hefty ransom.
Medibank has been contacted for comment.
The previous times the hackers posted Medibank data on the dark web included an alarming message that was posted on November 10.
The ransomware group claimed to have the data of 9.7 million Medibank customers and demanded a US$10 million ransom; roughly $15 million in Australian dollars.
The hackers then said they would take a slightly lesser amount.
“Society ask us about ransom, it’s a 10 millions usd. We can make discount 9.7m 1$=1 customer [sic],” the post read.
The hackers also claimed that they had shared extremely sensitive information of some Medibank customers.
“Added one more file abortions.csv…”
Medibank said they are “aware that the criminal has released an additional file on a dark web forum containing customer data that is believed to have been stolen from Medibank’s systems.”
The private health insurance company also implored media and the general public to refrain from looking up the files these hackers have posted and to refrain from contacting the hackers “given the sensitive nature of the stolen customer data that is being released on the dark web.”
“The weaponisation of people’s private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community,” David Koczkar, Medibank’s chief executive, said.
“These are real people behind this data, and the misuse of their data is deplorable and may discourage them from seeking medical care.”
WATCH: What you should do as an Optus customer after the data breach
The alleged hackers first emerged online on November 9, after not being paid a ransom by Medibank.
And the names, addresses, birthdates and Medicare details of hundreds of Medibank Private customers appeared on the dark web under a “good-list” and a “bad-list”.
The Medibank customer details were posted on a blog that has been linked to REvil, a ransomware group with strong Russian ties.
The hackers posted, along with the data, the following message:
“Looking back that data is stored not very understandable [sic] format, we’ll take some time to sort it out… We’ll continue posting data partially, need some time to do it pretty.”
Screenshots of private messages showing an alleged exchange between the hackers and Medibank representatives were also posted. The final message is dated November 7, and is supposedly from Medibank saying they would not pay the ransom
While it still hasn’t been confirmed whether or not these screenshots are real, it aligns with an announcement Medibank made on November 7: that they would not pay the hacker responsible for the breach a ransom.
David Koczkar, Medibank’s chief executive, said in a statement, “Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.”
“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”
“It is for these reasons we have decided we will not pay a ransom for this event,” Mr Koczkar concluded.
Mr Koczskar also revealed that 9.7 million Medibank customers (both past and present across the Medibank and ahm brands) were affected by the data breach, and the hacker had access to their basic customer information: name, date of birth, address, phone number and email address.
He also announced that it’s been determined that roughly 500,000 customers’ private health information and past claims data was accessed by the hacker.
Mr Koczskar stressed that absolutely no credit card details were stolen or accessed by the hacker.
For context, in mid-October 2022, Medibank faced a major security breach and initially, the company downplayed the cyberattack.
However, Medibank then announced on October 27, during an investors update, that the personal data of nearly 4 million customers (we now know it was actually 9.7 million) were accessible to hackers during the breach. International student customers were also affected.
During the investors update, Mr Koczkar said, “Our priority now is to safeguard our customers and their data given we now know that data has been stolen.”
Mr Koczkar also apologised to Medibank customers while John Goodall, Medibank’s group executive of technology and operations, assured the company was doing all it could to make sure the hacker no longer had access.
“It’s an ongoing forensic analysis. Everywhere we’ve identified a breach, it’s now closed,” Mr Goodall said.
If you’re a customer with Medibank, here’s what you can do to protect yourself and everything else you need to know.
What data has been breached?
The data stolen in the Medibank breach is extensive. The following information is believed to be compromised for Medibank and ahm customers:
- Names
- Email addresses
- Home addresses
- Dates of birth
- Medicare card numbers
- Policy numbers
- Phone numbers
- Health claims data
How to know if your data has been breached?
Medibank has said that if they find that a customer’s data has been stolen, they’ll notify them by email. But considering that the latest announcement confirmed most, if not all, customers had been affected, any present or former Medibank/ahm customer should remain vigilant.
What should I do about the Medibank data breach?
Medibank is urging all customers to either visit the company’s cyber incident support page or call the company’s cyber response hotlines (the phone number for Medibank customers is 13 23 31 and the phone number for ahm customers is 13 42 46).
As a part of a support package, Medibank is providing their customers with a few resources to help them during this time. These include:
- Customers in a “uniquely vulnerable position as a result of this cybercrime,” will be given financial support.
- Customers whose primary ID has been fully compromised will be provided with identity monitoring support.
- All customers will be given access to resources and specialist identity protection advice from IDCARE.
- All customers have access to free mental health support; customers can speak to qualified mental health professionals 24/7 over the phone to discuss any questions or issues they may have (the phone number is 1800 644 325).
- Customers whose identity documents have been compromised will be provided with a reimbursement to cover the fees associated with replacing documents like their passport or driver’s licence.
The Australian government is strongly urging all Medibank customers to secure and monitor their devices and accounts for unusual activity. They are also advising that customers should ensure they have the latest security updates and enable multi‑factor authentication for all accounts.
Other steps you can take to protect yourself if you were affected by the Medibank data breach include:
- Replace your Medicare card; this can be done by either using your Medicare online account through MyGov, the Express Plus Medicare mobile app or by calling the Medicare program (the phone number is 13 20 11).
- Be alert for any scams that mention Medibank Private.
If you’re seriously concerned that your identity has been compromised or you’ve been a victim of a scam, contact your bank immediately and call IDCARE (the phone number is 1800 595 160).
How might the stolen data be used?
The biggest risk to Medibank customers is that their information may be used to fraudulently take out loans or apply for credit cards.
Although financial records were not stolen, the risk is that thieves may be able to use the leaked Medibank information to break into the online banking accounts of victims.
The most likely use of the information would be to perpetrate additional scams through text and email.
Therefore, any Medibank customer should be suspicious of any text messages or emails they receive that mention or reference the Medibank data breach. If you do receive a suspicious SMS or email, contact the business directly and do not click any links in the messages.
You can also register fraudulent SMSes by forwarding them to Scamwatch (their phone number is 0429 999 888).
Has the Medibank hacker been caught?
Sadly, the Medibank hacker has not been caught yet.
However, someone claiming to be the responsible criminal has contacted Medibank multiple times. At first they sent Medibank a data sample to prove they had indeed accessed Medibank customers’ personal data.
Then this person threatened to sell 200 gigabytes of stolen data and the confidential records of Medibank’s most famous customers unless Medibank pays a huge ransom. As aforementioned, Medibank refused to pay this ransom and the details of hundreds of Medibank customers have now appeared on the dark web.