Ransomware Gang Leaks Medibank Data on Dark Web

After refusing to pay the ransom demanded by the cybercriminal group, Medibank has finally witnessed the dreaded moment where their customers’ personal data was leaked online.

For now, the gang whose identity is yet not revealed but is likely connected to the Russian ransomware group REvil has posted the personal details of around 200 Medibank customers, only a fraction of the total data included in the breach: 9.7 million customers’ personal details and 500,000 customers’ health claims data.

The notorious group started posting the data early Wednesday on a blog linked to the REvil ransomware gang and the blog post stated that more data will be uploaded soon. The stolen records included customers’ names, addresses, birth dates, government ID numbers, and information on medical claims.

Hackers Leak Stolen Data After Medibank Refused to Pay Ransom — Screenshot from the ransomware gang’s blog post on the dark web (Image: Hackread.com)

What really stood out is that the cybercriminals divided the data into two lists: “naughty and “nice”. The former included numerical diagnosis codes that linked victims to drug addiction, alcohol abuse, and HIV, as seen by Hackread.com.

One record, for example, carried an entry that read “F122”, which corresponds with “cannabis dependence” under the International Classification of Diseases published by the World Health Organisation.

The data leaked also contained screenshots showing the correspondence of negotiations between the cybercriminal gang and Medibank CEO David Koczkar. The WhatsApp messages suggested that the ransomware group also intends to leak “keys for decrypting credit cards” which is contradictory to the statement given by Medibank, stating that no banking or credit card details were accessed.

It is also believed that the leaked data includes personal details of high-profile names including Prime Minister Anthony Albanese and cybersecurity minister Clare O‘Neil.

Neil also defended Medibank, stating that the company followed government advice in not paying the ransom. The group responsible are “scumbags” and “disgraceful human beings”, she said.

Medibank apologized to its customers, calling the incident a “malicious weaponization” of private information, and promised to work “around the clock” to inform customers whose information has been published.

The release of private health information can be “distressing and embarrassing”, Australian Federal Police said, warning those whose data is yet to be released are at risk of blackmail.

“Please do not be embarrassed to contact police… if a person contacts you online, by phone or by SMS threatening to release your data unless payment is made,” Assistant Commissioner Justine Gough said.

What are the current and future effects on Medibank?

The cyber attack has already had a tremendous effect on Medibank, the largest health insurer in Australia. Hundreds of millions of US dollars were wiped off Medibank’s market value as soon as news of the security breach became available to the public.

Since October, over 20 percent of the company’s share price has dropped. Until the leak is contained, we can only expect that their market value will continue taking hits.

Simultaneously, the legal situation does not look good for Medibank either as it seems that a potentially costly class action lawsuit will come knocking on its door soon enough. It is not yet known whether Medibank intends to mitigate the risk of one by offering compensation to its customers.

Two law firms, Bannister Law and Centennial Lawyers, also said on Tuesday that they are investigating whether the company breached its obligations to customers under the country’s Privacy Act. They are also assessing whether damages should be paid as a result of the breach.

What should the victims do?

For now, the customers are urged by Medibank and the Australian Federal Police to be on high alert for phishing scams and suspicious activity across their online accounts. They are advised to ensure that they don’t use the same password for more than one account and have multi-factor authentication enabled on the online accounts where the option is available.

Moreover, the company has also launched a “cyber response support package” for affected customers which includes hardship support, identity protection advice and resources, and reimbursement of government ID replacement fees. The health insurance giant is also providing a well-being line, a mental health outreach service, and personal duress alarms.

It is also advised that customers at a heightened risk of being targeted by fraudulent emails should ensure that the emails are coming directly from Medibank. The company said they would not ask for personal details over emails and if in doubt, don’t click any links.