Private health insurer Medibank (ASX: MPL) has today revealed that a criminal who hacked customer data has started releasing files on a dark web forum, including personal details such as names, addresses, dates of birth, phone numbers, email addresses, and Medicare numbers for ahm customers but without the expiry dates.
Medibank has also reported that in some cases the passport numbers of international students and some health claims data were also released.
The Melbourne-based group believes the files are a sample of the data it had earlier determined to have been accessed by the criminal, which encompassed data connected to roughly 5.1 million Medibank customers, 2.8 million ahm customers and 1.8 million international customers.
The insurer expects the criminal to continue to release files on the dark web, and is working with the Australian Government, including the Australian Cyber Security Centre and the Australian Federal Police, which is investigating the matter.
"We unreservedly apologise to our customers," says Medibank CEO David Koczkar, who in accordance with Australian Government recommendations is not caving in to the hackers' demands.
"This is a criminal act designed to harm our customers and cause distress.
"We take seriously our responsibility to safeguard our customers and we stand ready to support them."
Medibank reports it has written to customers over the last 24 hours to alert them to the threat from the criminal that they could begin releasing stolen Medibank customer data on the dark web and that the criminal could also attempt to contact customers directly.
In one email to customers, Koczkar said paying a ransom could encourage the criminal to directly extort customers and would lead to a strong chance that more people could be in harm's way by making Australia a bigger target.
On its website the insurer reports that due to a high volume of incoming calls wait times may be in excess of 30 minutes, and has urged customers to be vigilant with all online communications and transactions including:
- Being alert for any phishing scams via phone, post or email;
- Verifying any communications received to ensure they are legitimate;
- Not opening texts from unknown or suspicious numbers;
- Changing passwords regularly with ‘strong’ passwords, not re-using passwords and activating multifactor authentications on any online accounts where available; and
- Medibank will never contact customers asking for password or sensitive information.
Meanwhile, the Australian Government has activated the National Coordination Mechanism to bring together agencies across the Federal Government, states and territories.
Earlier this week, Minister for Home Affairs Clare O'Neil said the payment of ransoms would directly undermine the goal of making Australia the most cyber-safe country in the world.
"Medibank’s decision is consistent with Australian government advice. Cyber criminals cheat, lie and steal. Paying them only fuels the ransomware business model. They commit to undertaking actions in return for payment, but so often re-victimise companies and individuals," she said.
"Two weeks ago, I activated the National Coordination Mechanism, ensuring focus and collaboration across all levels of government and the private sector in our national response to the Medibank attack. This is a new model for addressing cyber incidents in Australia.
"The Australian Government, after a wasted decade for digital reform, is stepping up on cyber security and ransomware."
O'Neil highlighted an urgent need to address the conditions that have allowed the two largest cyber attacks in Australian history - the other involving telco Optus - to occur within the space of two months.
Today's announcement follows the launch of an investigation into a possible class action against Medibank, led by Bannister Law Class Actions and Centennial Lawyers.
Get our daily business news
Sign up to our free email news updates.