In what is described as a ‘distressing development’ by Medibank chief executive, David Koczkar, a ransomware group, whose identity has not yet been confirmed, threatened to release the personal information of about 10 million Australians.
For your information, Medibank, Australia’s largest health insurer, has confirmed that the following data was exposed in the breach:
- Name, date of birth, address, phone number, and email address for approximately 9.7 million current and former customers and authorized representatives
- Medicare numbers (but not expiry dates) for ahm health insurance (ahm) customers
- Passport numbers (but not expiry dates) and visa details for international student customers
- Health claims data for roughly 480,000 Medibank, ahm, and international customers
- Health provider details, including names, provider numbers, and addresses
Furthermore, they also confirmed that the group behind October’s cyber attack has not accessed financial information (credit card and banking details), primary identity documents (e.g., driver’s licenses), or health claims data for extras services (like dental, physio, optical, and psychology).
- Optus Hacker Apologizes to Australians Over Data Breach
- Data of millions exposed in Australia’s largest telecom firm breach
- Sensitive Data of Australian Navy’s Vessels and Fighter Jets stolen
- Australian Defence Force Comm. Service Hit by Ransomware Attack
- Australian Trading Giant ACY Securities Exposed 60GB of User Data
The ransomware group in question posted to its dark web blog around midnight saying that the data will be published within 24 hours and added, “P.S I recommend to sell Medibank stocks.” In their post, however, they did not show any data samples to verify this threat.
But being aware of the very imminent possibility of data exposure, Koczkar stated that customers should remain vigilant with all online communications and transactions. “We knew the publication of data online by the criminal could be a possibility, but the criminal’s threat is still a distressing development for our customers,” he said.
There are contrasting views from the cybercrime analysts keeping track of the updates regarding the identity of the ransomware group. While some believe it to be a REvil relaunch, others such as security researcher MalwareHunterTeam suspect it is BlogXX, a new operation linked to REvil.
REvil Russian ransomware gang was originally shut down in October 2021 after law enforcement reportedly hijacked its Tor servers, followed by Russia arresting some of the members. In April 2022, the operation’s original website was resurrected and redirected visitors to new websites for what is known as the ‘BlogXX’ operation.
The company stated in a press release that they do not intend on paying the ransom demanded by the cybercriminals.
“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” said Medibank, adding that the attackers will only be motivated to go after its customers affected by the breach.
In addition, they believe that succumbing to the ransomware group’s demands will incentivize other cybercriminals to target Australian organizations, putting more people at risk.
The home affairs minister, Clare O’Neil, said Medibank’s decision not to pay a ransom to cyber criminals was in line with government advice.
While we wait for the situation to unfold, we advise those affected by the data breach to view the update posted on Medibank’s website and take the necessary steps as instructed.