Written by Staff Writer.
A ransomware group has demanded US$9.7 million, or $1 for each customer record stolen in the Medibank Private cyber-attack. This follows the release of millions more customer details on dark web forums overnight after the health insurer declined to pay a ransom.
In a series of WhatsApp messages and emails posted online, REvil, a ransomware group with Russian ties, threatened to “do everything in our power to inflict as much damage as possible for you, both financial and reputational,” if negotiations broke down or the health insurer refused to pay.
Medibank Private has since confirmed that more customer information was posted to the dark web after a deadline passed. In a November 10 statement, they say the first batch of released data included the names, addresses, dates of birth, phone numbers, email addresses, and Medicare numbers of some ahm customers. ahm is a Medibank Private brand.
However, what was a relatively short customer data list on Wednesday has now reportedly expanded to more than five million customer records available online in what is a rapidly evolving situation. Medibank Private CEO David Koczkar called the hackers “disgraceful.”
The first trove of released customer information included a “good list” and a “naughty list.” The naughty list reportedly contained details of mental health and addiction treatments for 100 customers, some of whom are allegedly high-profile. The “good list” details the day-to-day medical procedures of a further 100 customers. Overnight, the hackers added another file to the “naughty” list – abortions.csv.
“The files appear to be a sample of the data that we earlier determined was accessed by the criminal,” says a Medibank Private spokesperson. We expect the criminal to continue to release files on the dark web.”
“We have 200Gb sensitive data from your RedShift Cluster,” the ransomware group told Medibank Private negotiators. The group threatened to start selling the stolen information to third parties but not before releasing details of 1,000 well-known people on the database, including drug addicts, politicians, and LGBT activists. “We’ve found people with very interesting diagnoses,” they said.
Prime Minister Anthony Albanese has since confirmed he is a Medibank Private customer. The PM has supported Medibank Private’s decision not to pay any ransom.
It is also emerging that the ransomware group may have accessed Medibank’s networks for several weeks before stealing the customer data. A plan to encrypt the health insurer’s records and demand payment for a decryption key was allegedly thwarted when Australian cyber authorities tipped off Medicare Private. However, falling back to Plan B, the hackers were still able to download the customer data.
The hackers accessed Medibank Private’s network using stolen credentials. But they also reportedly accessed one of the company’s virtual private networks (VPNs) which are supposed to boost the integrity of the health insurer’s systems. However, the VPN may not have been appropriately secured.
The AFP has expanded Operation Guardian to include Medibank, saying that it was an offence to buy stolen data.
“The AFP is aware that the unlawful release of private health information can be distressing and embarrassing,” said Justine Gough, Cyber Command Assistant Commissioner. “We have significant powers, determination and access to international law enforcement networks to help investigate this breach.”
But speaking to ABC News on Wednesday morning, Nigel Phair, Director of the UNSW Canberra Cyber Centre said getting the ransomware group before Australian courts would be a tough ask, saying it would be a long and complex process.
“We don’t know who they are or their jurisdiction, but it doesn’t mean it’s impossible,” he said. “We’ve got to lure them. If they’re in a jurisdiction that’s not complementary to Australian law enforcement, we need to lure them out.”