Hackers on Wednesday began leaking sensitive medical records stolen from an Australian health insurer with nearly 10 million customers, including the prime minister, after the firm refused to pay a ransom.
Medibank told investors that a “sample” of data from some 9.7 million clients had been posted on a “dark web forum” — and that more leaks were likely.
Sensitive records were posted anonymously in the early hours of Wednesday and included names, birth dates, passport numbers and information on medical claims for hundreds of customers.
The victims were separated into a “naughty” list and a “nice” list.
Some on the “naughty” list had numeric codes that appeared to link them to drug addiction, alcohol abuse and HIV.
For example, one record carried an entry that read: “p_diag: F122”.
F122 corresponds with “cannabis dependence” under the International Classification of Diseases, published by the World Health Organisation.
Prime Minister Anthony Albanese, himself a Medibank customer, said the attack was a “wake-up call” for corporate Australia.
“I am a Medibank Private customer as well and it will be of concern that some of this information has been put out there,” he said.
The leaked data was posted on a dark web forum that cannot be found using conventional web browsers.
Medibank — which provides private health insurance to Australians wishing to supplement universal public healthcare — informed the Australian Securities Exchange about the leak shortly before the market opened.
“The files appear to be a sample of the data that we earlier determined was accessed by the criminal,” the company said in a statement.
“We expect the criminal to continue to release files on the dark web.”
The hackers were following through on an earlier threat to publish the data unless Medibank paid an undisclosed ransom.
“P.S I recommend to sell Medibank stocks,” the purported hackers wrote on the forum about 24 hours before the first batch of data was released.
With the political backing of Australia’s federal government, Medibank on Tuesday refused the demand — instead warning customers to remain “vigilant”.
“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Medibank boss David Koczkar said.
The group also uploaded what they said were a series of exchanges between themselves and Medibank representatives.
“We will do everything in our power to inflict as much damage as possible for you, both financial and reputational,” one message read.
The security breach has already wiped hundreds of millions of US dollars off Medibank’s market value, with the company’s share price down over 20 percent since October, when news of the leak first emerged.
AFP Assistant Commissioner Cyber Command Justine Gough said the “criminal or criminal groups” responsible for the hack could be operating outside of Australia.
Australia’s assistant treasurer Stephen Jones said they were “scumbags” and “crooks”.
“We shouldn’t be giving in to these fraudsters,” he told Sky News Australia.
“The moment we fold, it sends a green light to scumbags like them throughout the world that Australia is a soft target.”
As Medibank scrambles to contain the leak, it is also staring down the barrel of a potentially-costly class action lawsuit.
Two law firms said Tuesday they had joined forces to investigate whether Medibank had breached its obligations to customers under the country’s Privacy Act.
The Medibank hack followed an attack on telecom company Optus in September that exposed the personal information of some nine million Australians.