Medibank hack: Sensitive health data of Australians posted on dark web

10 Nov 2022

Image: © eyeofpaul/Stock.adobe.com

Hackers have released sensitive Medibank customer data on the dark web, including a file titled ‘abortions’.

Sensitive data stolen from Australian health insurance provider Medibank has been released on the dark web as hackers demand nearly $10m in ransom.

This follows a major cyberattack on Medibank last month which affected 9.7m Australians. The data breach is linked to Russian ransomware group REvil.

“We have become aware that the criminal has released files on a dark web forum containing customer data that is believed to have been stolen from Medibank’s systems,” the insurance company wrote in an update yesterday (9 November).

The data made public includes personal information such as names, addresses, dates of birth, phone numbers, email IDs, and even Medicare and passport numbers of some customers.

“We will continue to work around the clock to inform customers of what data we believe has been stolen and any of their data included in the files on the dark web, and provide advice on what customers should do,” Medibank added.

The hack is now under police investigation. The initial ransom demanded $10m. The REvil group apparently reduced the price to $9.7m, amounting to $1 per customer affected, The Guardian reports.

The group has also reportedly posted a file titled ‘abortions’ on the dark web blog it is using to make sensitive information public. The Guardian reports that a ‘naughty list’ on the blog contains claims linked to high-profile Australians related to drugs or mental health issues.

Australian telecoms company Optus recently suffered a similar data breach that may have affected up to 9m customers, exposing names, dates of birth, phone numbers and email IDs.

Troy Hunt, creator of the Have I Been Pwned website that lets people check if their information has been compromised in a data breach, called out the hackers’ decision to add a file on abortions in the blog as “sickening” in a Twitter thread.

“No surprises on the comments around dollars, but that line on abortions is sickening. To selectively single these individuals out and publish personal data is abhorrent,” Hunt wrote.

The Australian government has decided, in line with the country’s policy, to not pay the ransom.

“What’s especially appalling about this is that the ransom is over. No money is being paid – ever,” Hunt went on.

“So why continue to dump data and inflict pain on individuals? So that the next ransom ‘customer’ sees how bad it can get if they don’t pay. Medibank is being made an example of now.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain was a journalist with Silicon Republic

editorial@siliconrepublic.com