Key points
- Data includes sensitive medical information, including where and what treatment people received.
- A sample of 100 customer records provided by the hackers has genuine information.
- About 1 million people are customers of the Medibank divisions known to be affected so far, but the insurer has 4 million in total.
Medibank Private has confirmed that hackers have stolen sensitive health information from systems that hold the records of about 1 million customers after the criminals threatened to spread the information unless the insurer paid a ransom.
On Thursday, Medibank said it had received a sample of data on 100 customers from the hackers which it confirmed as authentic, and warned that it expected the number of affected customers to grow substantially in coming days.
Police are investigating threats made in the wake of a major cybersecurity breach at Medibank Private. Credit:Louise Kennerley
Chief executive David Koczkar said the sample included codes that specify where a customer had been treated and which conditions had been treated. These could range from sprained wrists to drug and alcohol addiction.
"They're used across the health system, and they cover all range of physical and mental health conditions," Koczkar told The Sydney Morning Herald and The Age.
The sample data comes from Medibank’s cheaper ahm brand and its international student services, which have about 1 million customers combined. It includes names, addresses, birth dates, Medicare numbers and contact information. The hackers have made an unverified claim to possession credit card information among the 200 gigabytes they claim to have stolen.
Home Affairs Minister Clare O'Neil hit out at the hackers' threat, first revealed by this masthead on Wednesday, to sell the data to other criminals and send 1000 high-profile Australians their own data as a warning shot.
“The threat being made here to make the private, personal health information of Australians available to the public is a dog act,” O’Neil said. “That is why the toughest and smartest people in the Australian government are working directly with Medibank to try to ensure that this horrendous criminal act does not turn into what could be irreparable harm to some Australian citizens.”
Staff from the Australian Federal Police and the Australian Signals Directorate, which is the nation's cyber agency, have embedded with Medibank to investigate the breach and try to stop the data getting released more widely.
Koczkar apologised to customers for the breach, vowed to do everything possible to protect them, and defended the company's handling of the crisis, in which it emphasised as early as Monday this week that it had no evidence customer data had been stolen.
"The investigation has been ongoing and as these incidents are, they continue to evolve. And from the start, I committed to share updates, right when they came to light," Koczkar. "And previous statements had been very clear that they were point-in-time updates."
Koczkar would not answer any questions about the ransom demanded, nature of the hack, identity of the criminals or when Medibank received the sample data and threats from the hackers, saying instead that there was an ongoing police investigation.
Australia’s information and privacy watchdog said on Thursday it was checking whether Medibank complied with rules that require many businesses to report major cybersecurity breaches.
"This matter is understandably of great concern, given the sensitive information that may be involved," Australian Information Commissioner and Privacy Commissioner Angelene Falk said.
The ransom message received by Medibank said the company had been "shy" about speaking to the hackers and referred to the data that had been sent to the company.
"We want to talk with your company about demand, and also attach part of your personal data to prove," the message reads. "By the way, we're ready to send you more proves."
Medibank boss David Koczkar has apologised for the breach.Credit:Arsineh Houspian
Marcus Thompson, a former head of the Australian Defence Force’s information warfare division, said the hackers were acting differently to those who targeted Optus, asked for a $1.5 million and then recanted their demand.
"Clearly the tradecraft here is different to the Optus hack, which implies a more polished threat actor here," said Thompson, who is now a strategic adviser with cybersecurity firm Paraflare among other corporate roles.
He pointed to previous large-scale data breaches, such as one on British Airways in 2018, where personal information packs were quickly offered for sale online for as little as £9 ($16) as an example of what the data could be used for.
O’Neil said the breach gave the government a mandate to toughen Australia’s laws, which it flagged in the wake of the hack on Optus last month in which details on almost 10 million Australians were exposed, but have not been unveiled.
“We are going to be under relentless cyberattack, essentially from here on in,” O’Neil said.
Asked by journalists in Melbourne whether she had applied a double standard in slamming Optus, over the massive breach it disclosed last month, while supporting Medibank, O'Neil sidestepped the question. She directed questions about Medibank's communications to the company and said: "The side I am on is the side of the Australian people."
A spokesman for the Australian Federal Police issued a brief statement when asked about the breach, saying: “The AFP is aware of the matter and has no further comment at this stage.”
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.
Most Viewed in Technology
From our partners
Source: Read Full Article