Criminal behind Medibank hack dumps more data on dark web

On the same day that Maurice Blackburn lodged a representative complaint against Medibank with the Office of the Australian Information Commissioner (OAIC) seeking compensation for customers affected by a data breach, it has come to light that more stolen customer details have been dumped on the dark web.

Following widespread media reports that the criminal behind the Medibank (ASX: MPL) cyberattack dumped the majority of stolen customer data on the dark web, the private health insurer confirmed it expects to see more files released.

Medibank announced today that six zipped files in a folder called ‘full’ are believed to contain raw data that were stolen, but that much of the data is incomplete and hard to understand. One such example is that health claims data has not been joined with a customer name or contact details.

While the investigation is ongoing, Medibank noted there are currently no signs that financial or banking data has been taken. The insurer also added that personal data which was stolen is not sufficient enough to enable identity and financial fraud.

As reported broadly by the media, the criminal behind the breach made an update to a dark web blog that is being used to release information, posting this morning: “Happy Cyber Security Day!!! Added folder full. Case closed.”

Medibank CEO David Koczkar said while there are media reports of this being a signal of ‘case closed’, the work is not over.

“We are remaining vigilant and are doing everything we can to ensure our customers are supported. It’s important everyone stays vigilant to any suspicious activity online or over the phone,” he said.

“Anyone who downloads this data from the dark web, which is more complicated than searching for information in a public internet forum and attempts to profit from it is committing a crime.

“The Australian Federal Police have said law enforcement will take swift action against anyone attempting to benefit, exploit or commit criminal offenses using stolen Medibank customer data.”

The news comes a few days after the Australian Prudential Regulation Authority (APRA) intensified its supervision of Medibank, which announced to shareholders in mid-October that the personal information of 9.7 million current and former customers were stolen.

APRA said it had “informed the scope” of an external review being conducted by Deloitte that is examining the incident, control effectiveness and the response of Medibank, including its refusal to pay a ransom to the criminal behind the data theft.

The breach has affected roughly 5.1 million Medibank customers, 2.8 million ahm customers, 1.8 million international customers and 900 Medibank staff.

International students also had their passport numbers accessed, some of which are already published on dark web forums. The leak also included customer names, addresses, dates of birth, phone numbers, email addresses, and the Medicare numbers of ahm customers (without the expiry dates).

Medibank has extended call centre hours and increased its customer support team by more than 300 people to handle an influx of queries from customers. From this week, it will also use two-factor authentication in its contact centres – meaning when a customer calls for support, the insurer can verify the identity of the person speaking.

“We will continue to support all people who have been impacted by this crime through our Cyber Response Support Program. This includes mental health and wellbeing support, identity protection and financial hardship measures,” Koczkar said.

“We remain committed to fully and transparently communicating with customers and we will continue to contact customers whose data has been released on the dark web.

“Again, I unreservedly apologise to our customers."

Maurice Blackburn launches representative complaint

National law firm Maurice Blackburn announced today it has lodged a representative complaint against Medibank with the Office of the Australian Information Commissioner (OAIC).

The firm alleges that Medibank failed in its duties by failing to take steps to protect the privacy of its customers’ personal information and sensitive health information from interference, loss, unauthorised access and unauthorised disclosure.

Maurice Blackburn noted the OAIC has the power to order Medibank to compensate affected customers in what it describes as “one of Australia’s most serious data breaches”.

“The disclosure of personal information, particularly the nature of the information held by Medibank, has caused millions of Australians significant distress,” Maurice Blackburn principal lawyer Andrew Watson said.

“The right to privacy is a fundamental human right, and the representative complaint to the Australian Information Commissioner offers an avenue of redress to the millions affected by this incident.

“We cannot undo the damage that has been caused in this data breach, but we can ask the commissioner to investigate the data breach and seek compensation from Medibank on behalf of those affected, including for financial or non-financial loss, such as humiliation, stress, and feelings of anxiety.”

A class action against Medibank is currently being explored by law firms by Bannister Law Class Actions and Centennial Lawyers.