Medibank: For refusing to pay ransom, hackers are now leaking stolen health data

• The ransomware group began publishing the stolen records early Wednesday, including customers’ names, birth dates, passport numbers and information on medical claims.
• A blog linked to a Russian ransomware group says it offered a ‘discount’ ransom of US$9.7 million to the health insurer , or US$1 for each customer’s data.
• Medibank however believes that there is only a limited chance paying a ransom would ensure the return of their customers’ data and prevent it from being published.

When Australia’s largest health insurer, Medibank, fell victim to a cyber hack, it was revealed that all 9.7 million of its current and former customers were affected by the breach. Then this week, Medibank revealed that the suspected hackers had demanded a dollar for each customer’s data, bringing the total ransom demand to US$9.7 million. “Society asks us about ransom, it’s US$10 million. We can make discount 9.7m 1$=1 customer,” reads the post spotted on the dark web.

The post was spotted on a blog linked to REvil, a ransomware gang with strong Russian links. Medibank was quick to respond that it would not pay the ransom demand, saying, “We believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.” 

The alleged hacker then responded by posting “Medibanks (sic) CEO stated that ransom amount is ‘irrelevant’. We want to inform the customers that he refuses to pay for your data more, like 1 USD per person. So, probably customer data and extra efforts don’t cost that.” By early Wednesday this week, the ransomware group began publishing the stolen records which includes customers’ names, birth dates, passport numbers and information on medical claims.

The cybercriminals selectively separated the first sample of Australian breach victims into “naughty” and “good” lists, with the former including numerical diagnosis codes that appeared to link victims to drug addiction, alcohol abuse and HIV, according to Agence France-Presse. To top it off, the leaked data apparently also includes the names of high-profile Medibank customers, including senior Australian government lawmakers, like prime minister Anthony Albanese and cybersecurity minister Clare O’Neil.

Reports are also indicating that based on screenshots of WhatsApp messages spotted, the ransomware group also plans to leak “keys for decrypting credit cards” despite Medibank’s assertion that no banking or credit card details were accessed. “Based on our investigation to date into this cybercrime we currently believe the criminal did not access credit card and banking details,” Medibank spokesperson Liz Green told TechCrunch in an emailed statement on Wednesday, who deferred to its blog post.

So far, the leaked personal details involved around 200 Medibank customers, a fraction of the data that the group claims to have stolen. Just this week Medibank confirmed  that the cybercriminals had accessed roughly 9.7 million customers’ personal details and health claims data for almost 500,000 customers. Now, Medibank is bracing for the situation to worsen, saying that it “expects the criminal to continue to release files on the dark web.” 

On its dark web leak site, the cybercriminals have said they planned to “continue posting data partially, including confluence, source codes, list of stuff and some files obtained from medi file system from different hosts.” To Make matters worse, Medibank does not own any cyber insurance, despite being an insurance company, so the company is on the hook to lose tens of millions of dollars, according to some estimates, and there are already lawsuits apparently being prepared.

---

---

---

---