With Medibank refusing to pay cyber criminals a ransom to withhold personal details of almost 10 million current and former customers, this data could soon be widely available online.
The hack, which was first disclosed by Medibank more than three weeks ago, is believed to include everything from customers’ identification information to details of medical procedures and conditions, sparking fears it could be used to extort individual clients.
Medibank said on Monday it would not pay a ransom.Credit:Getty Images / Louise Kennerley
Why is Medibank not paying the ransom?
In a statement, Medibank said it had received extensive advice from experts that paying the ransom probably wouldn’t protect its customers. The criminals could easily still sell the data, or use it to extort Medibank customers directly. Paying could also have the effect of encouraging more attacks generally, as the attackers would gain more resources, and other groups could be motivated to attack Australian businesses.
Is the criminal group likely to release the data online?
Yes. Medibank believes that the attackers’ claims in terms of the amount of data stolen are genuine, even if the company didn’t comment on whether it thought the data would be posted online.
Criminal hacking groups almost always follow through on threats to post data if a victim doesn’t pay the ransom. If they didn’t, their reputation and the likelihood of getting paid next time could suffer.
What will happen to the data if released?
Generally, data from hacks gets dumped onto forums or databases accessible via the dark web, where various criminals can collect them to formulate further attacks. It’s also possible the group could publish certain parts of the data and sell access to the rest.
What could criminals do with this sort of data?
A lot of different kids of data are thought to have been stolen from Medibank. Identifying details such as names, birthdates, phone numbers and email addresses are useful for crafting phishing attacks, where victims are tricked into clicking on malicious links or handing over further details, or could just serve as a way to contact potential victims. Medicare numbers, passport numbers and visa details could be used in identity theft operations, where for example criminals apply for credit cards or loans posing as the victim. Health claims data was also accessed, including details of providers, medical diagnoses and procedures. This data could be used to impersonate health care professionals, or to directly blackmail victims in the case of particularly sensitive health issues.
How could victims protect themselves?
Details like Medicare and passport numbers can be changed, which would render the attackers’ data useless. Changing phone numbers and email addresses is more of a burden, and things like birthdates are obviously fixed, so the best protection there is vigilance in clicking on anything received via SMS or email, and making sure online accounts are secured with unique passwords and two-factor authentication. It’s important to note that once data like this is dumped online it tends to stick around for a long time. Customers are not only at short-term risk of receiving a higher number of phishing emails, but the data could be combined with other details long into the future to craft new attacks. The health data is the most problematic, as attackers could conceivably use it to extort or harass victims for years, as we’ve seen with previous sensitive data leaks such as the Ashley Maddison hack.
What is Medibank doing to help?
Medibank is contacting all customers whose data has been accessed with specific advice. It has opened a dedicated health and wellbeing phone line available for all customers, and is reaching out proactively to customers identified as being particularly vulnerable. The company has also set up an app that includes tools and links to support, is offering free credit monitoring services and reimbursements for the cost of ID replacements, and has a hardship support hotline for anyone financially impacted.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.
Most Viewed in Technology
From our partners
Source: Read Full Article