Hackers Post Australian Health Insurance Medibank Data On The Dark Web

Data stolen from an Australian health insurer, including the names, addresses and birthdays of hundreds of customers, has been posted on a forum on the so-called dark web.

The files appear to be a sample of the data accessed, Medibank said in a statement on Wednesday. The company is waiting for more information to be released, after it said earlier this week that hackers had exposed the information of about 9.7 million people.

The release of personal information comes after a massive data leak at Singapore Telecommunications unit Optus in September, which exposed the details of up to 10 million customers. Other recent hacks at Australian pathology services provider Clinical Labs and Woolworths subsidiary MyDeal have raised concerns that Australian companies are not doing enough to protect customer data.

The hackers warned on Tuesday that they would release the data within 24 hours, a day after the Melbourne company said it would not pay the money because it would promote more crimes. The leaked data contained details of about 100 clients including their treatment for cannabis addiction, alcohol abuse, anxiety and drug use, the Australian Financial Review reported.

The Medibank data breach could cost the company more than $129 million (roughly Rs. 1,050 crore), according to Bloomberg Intelligence analysts Matt Ingram and Jack Baxter. The health insurer, which has already delayed premium hikes for affected customers, may face compensation of AUD 500 (roughly Rs. 26,300) to AUD 20,000 (roughly Rs. 1,052,300) to affected policyholders, analysts said.

Medibank shares were up 0.7 percent in afternoon trading in Sydney on Wednesday. The stock has fallen nearly 20 percent since the hack was first discovered just under a month ago, wiping nearly AUD 2 billion (roughly Rs. 10,500 crore) from the company’s market value.

The disclosure of the first batch of information and threats to send more may be designed to pressure Medibank into paying the ransom, said Josh Lemon, who teaches cybersecurity at the SANS Institute.

“Unfortunately paying the ransom does not always guarantee that the information will not be released, or resold to other cybercriminals,” said Lemon. “I don’t believe that paying the ransom at this point will do more than delay how quickly information can be released.”

Home Affairs Minister Clare O’Neil said Medibank’s decision not to pay cybercriminals was in line with government advice.

“Paying yourself encourages the ransomware business model,” O’Neil said. “They commit to taking action to pay, but they often harass companies and individuals.”

“Medibank should never even consider paying a ransom,” said Troy Hunt, who runs a website that tracks breaches. “Their stance on this was positive and reflects the government’s stance on cybercrime and ransom.”

The Australian police’s Operation Guardian, originally set up to protect victims of the Optus data breach, will be expanded to include victims of the Medibank hack, Assistant Commissioner Justine Gough said on Wednesday.

The government on Wednesday also passed legislation increasing the fine for repeated or serious privacy breaches to at least AUD 50 million (about Rs. 260 crore).

“Significant privacy breaches in recent weeks have shown that existing protections are outdated and inadequate. This bill makes it clear to companies that fines for major data breaches will no longer be considered a cost of doing business,” said Attorney General Mark Dreyfus in a statement.

© 2022 Bloomberg LP