Medibank Data Breach: Personal Information of Australian Health Insurance Company Customers Posted to Dark Web

Stolen data from an Australian health insurer, including the names, addresses and dates of birth of hundreds of customers, was posted to a forum on the so-called dark web.

Medibank said the files appear to be a sample of the data that was accessed on Wednesday. The company hopes more data will be released, after earlier this week it said hackers had exposed the information of about 9.7 million people.

The disclosure of personal information comes after a massive data leak at Telecom Singapore’s Optus unit in September exposed the details of around 10 million customers. Other recent attacks against pathology provider Australian Clinical Labs and Woolworths subsidiary MyDeal have raised concerns that Australian companies are not doing enough to protect customer data.

The hackers warned early Tuesday that they would release the data within 24 hours, a day after the Melbourne-based company said it would not pay the ransom because it would only encourage crime. further offense. The leaked data contained details on about 100 clients including treatments for cannabis addiction, alcohol abuse, anxiety and drug use, the Australian Financial Review reported.

According to Bloomberg Intelligence analysts Matt Ingram and Jack Baxter, the Medibank data breach could cost the company more than $129 million (or Rs 1,050). The health insurer has delayed a premium increase for affected customers, which could face claims ranging from A$500 (about Rs 26,300) to A$20,000, analysts said. approximately Rs 1,052,300) to affected policyholders.

Shares of Medibank rose 0.7 per cent in afternoon Sydney trading on Wednesday. Shares have tumbled about 20% since the hack was first discovered just under a month ago, wiping around AUD2 billion (about 10,500 crore) from the company’s market value.

Josh Lemon, who teaches cybersecurity at the SANS Institute, said the first batch of leaks and further posting threats could be designed to pressure Medibank into paying the ransom.

“Unfortunately, paying a ransom does not always guarantee that data will not be released or sold to other cybercriminals,” Lemon said. “I don’t believe paying the ransom at this stage will do more than delay the rate at which data is released.”

Interior Minister Clare O’Neil said Medibank’s decision not to pay ransoms to cybercriminals was in line with government advice.

“Paying them just fuels the ransomware business model,” O’Neil said. “They commit to taking actions in return for the payment, but so often leave companies and individuals the victim.”

“Under no circumstances should Medibank consider paying a ransom,” said Troy Hunt, who runs the breach tracking website. “Their stance on this is correct and reflects the government’s position on cybercrime and ransom.”

The Australian Federal Police operation Guardian, originally set up to protect victims of the Optus data breach, will be expanded to include victims of the Medibank hack, Assistant Commissioner Justine Gough said on Wednesday.

The government on Wednesday also passed legislation increasing fines for repeated or serious privacy violations to at least AUD 50 million (about Rs 260).

“The significant privacy breaches in recent weeks show that current protections are outdated and inadequate. This bill makes it clear to companies that the penalty for a major data breach can no longer be seen as a cost of business,” Attorney General Mark Dreyfus said in a statement.

© 2022 Bloomberg LP