Medibank has confirmed further details of customers compromised in a security breach that recently surfaced on a dark web forum, describing illegal buying and selling as a disgrace. The Australian health insurer refuses to pay any ransom for the data, relying solely on expert advice and government guidance.
“The weaponization of people’s personal information in an attempt to blackmail is malicious and an attack on the most vulnerable members of our community,” Medibank CEO David Koczkar said in a statement on Thursday. “The release of this stolen data on the dark web is disgraceful.”
The company urged the public not to download the data that hackers last week threatened to start releasing on the forum. Reports suggest that the ransom demanded is up to $10 million, or $1 for each compromised customer account.
The first day announced last month, the security breach compromised the personal data of 9.7 million current and former customers and some of their authorized representatives. Among those affected are 1.8 million international customers.
According to Medibank, the hackers did not gain access to key identification documents such as local customers’ driver’s licenses, credit cards and banking information. However, they can access data such as name, date of birth, address, phone number and email address. The health claim data of 480,000 customers was also leaked, including the locations where they received medical services and code related to the diagnoses and procedures performed.
Medibank on Wednesday determined that files had appeared on the forum and appeared to be a sample of leaked data, which contained the passport numbers of several international student customers. The insurer said it expects more shipments to be released and will notify customers whose data appears on the forum.
Koczkar said the company has no plans to pay any ransom to the hackers behind the data theft.
“Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance of paying a ransom that will secure the return of our customers’ data and prevent it from being stolen. that data is published,” he said Monday in a statement to the Australian Stock Exchange. “Payment is possible opposite effect and encourages criminals to extort our customers directly, and it is very likely that paying will put more people at risk by making Australia a bigger target. “
“It is for these reasons that we have decided not to pay the ransom for this event,” he said. “This decision is in line with the Australian government’s position.”
Medibank said it is providing support to customers affected by the breach through its Online Response Assistance Program, which includes identity protection, financial measures and mental health support.
It added that it has enhanced the existing monitoring of its network, adding detection, analysis and forensics capabilities across its systems. It notes that the law requires that certain customer information be retained for at least seven years from the time the customer leaves.
Australia passes legislation to increase penalties for violations
Meanwhile, Australia’s proposed law to increased financial penalties for data privacy violators have through the Wednesday. It pushes the maximum fine for serious or repeated violations to AU$50 million (US$32.34 million), from the current AU$2.22 million or three times the value of any any benefit obtained through the misuse of data or 30% of the company’s adjusted revenue for the relevant period, whichever is greater.
The bill also empowers the Australian Information Commissioner to address privacy breaches and share information about data breaches more quickly.
A Sydney man on Tuesday pleaded guilty to attempting to extort money from customers affected by Optus . data breach in September.
Assistant Australian Federal Police, Network Command Commissioner Justine Gough said wednesday it will look for hackers responsible for cybersecurity attacks, such as the Medibank breach, even if they are based abroad.
“We have considerable authority, determination and access to international law enforcement networks to help investigate this breach,” Gough said. “This is not just an attack on an Australian business. Law enforcement agencies globally know this is a crime that knows no borders and requires the sharing of evidence and capabilities.”
“It is an offense to buy stolen data, which can be used for financial crimes,” he said. “Extortion is a crime and those who misuse stolen personal information for financial gain will face penalties of up to 10 years in prison.”
According to the Australian Office of the Information Commissioner (OAIC), there are 396 data breaches reported from January to June 2022, down 14% from July to December 2021.
About 41% of all breaches, or 162 notifications to OAIC, are the result of cybersecurity incidents. The majority of network issues, 51 reported, were related to ransomware, while 42 were due to phishing.
The office added that 24 data breaches affected at least 5,000 Australians, including four affecting at least 100,000 Australians. Except for one reported case, all of these data breaches were caused by a cybersecurity incident.
Angelene Falk, Australia’s Information and Privacy Commissioner said: “Recent data breaches have brought attention to the importance of organizations keeping the personal information they hold private. entrusted with and the high level of public concern about the protection of their information and whether it needs to be collected and retained in the first place I urge all organizations to see review their personal information handling practices… Collect only necessary personal information and delete it when it is no longer required.”
The OAIC report also found that 71% of organizations notified the Office within 30 days of becoming aware of the incident, compared with 75% in the previous period.
Falk says: “Since the risk of serious harm to individuals often increases with timeOrganizations that suspect they have experienced a data breach are eligible should consider 30 days as the maximum period for an assessment and aim to complete the review and notify individuals in a much shorter period of time. “
RELATED INSURANCE
