By Padraig Collins For Daily Mail Australia and Aap
19:36 08 Nov 2022, updated 04:51 09 Nov 2022
- Medibank hackers threatened on Tuesday they would release private details
- The health giant said on Monday it had refused to pay the ransom to the hackers
- Australians’ private health data was posted online early Wednesday by the group
- Do you know more? Let us know at firstname.lastname@example.org
Russian hackers who have started posting customer data from Medibank on the dark web have also released bombshell screenshots of their contacts with the company.
Hundreds of names, addresses, birthdates and Medicare details were being posted under ‘good-list’ and ‘naughty-list’ on a blog belonging to the group on Wednesday morning.
The scam calls to affected Medibank customers have already begun, with people being told they have an unpaid bill for a procedure at a hospital.
Prime Minister Anthony Albanese said government security agencies are working with Medibank following the latest leak.
He is one of the customers affected by the leak.
‘The company has followed the guidelines effectively, the advice, which is to not engage in a ransom payment,’ Mr Albanese said.
Former tennis champion and Channel 9 broadcaster Todd Woodbridge is one of those who have been targeted.
The 51-year-old, who suffered a mild heart attack last month, got five calls in a row from the same number yesterday.
‘They ended up leaving me a message and the message was that I had bills to pay from the hospital stay that I had,’ he told Heidi Murphy on 3AW.
‘They knew the hospital that I had stayed in and they wanted me to ring back and give me an account number and wanted me to pay over the phone.’
Screenshots released by the hackers have shown an alleged response from Medibank – Australia’s largest health insurer.
It said: ‘Hello. We received your message. We want to talk with you, but need to be sure you’re the person who says they have our data.
‘Can you tell us all the addresses and phone numbers you sent messages to?’
The hackers, known as Blogxx or REvil, responded saying ‘OK, we wait.’
According to the screenshots, Medibank later replied that ‘After considering all options, we have made a decision that we cannot pay your demand.
‘It is also Australian government policy that ransoms should not be paid. We understand the impact this may have.’
Medibank has promised to tell customers what data it believes has been stolen, if any of their data is included in the files on the dark web and give advice on what to do.
‘The files appear to be a sample of the data that we earlier determined was accessed by the criminal,’ the company said on Wednesday.
‘We expect the criminal to continue to release files on the dark web.’
The hackers had demanded a ransom to stop them from releasing the data, but Medibank earlier this week said it would not pay it because it would encourage further crime.
Shortly after midnight, the group posted the first lists and warned it is about to drop even more but they ‘need some time’.
‘Looking back that data is stored not very understandable format (table dumps) we’ll take some time to sort it out,’ they said.
‘We’ll continue posting data partially, need some time to do it pretty.’
The group previously said it would release the personal data of Australian celebrities.
Tech expert and editor of EFTM.com, Trevor Long, said a sample of data was released on the dark web in the early hours of Wednesday morning.
‘The bottom line is the hacker community, the scammer community, have this information now and that’s the risk to us – individuals getting asked to pay ransoms to prevent their own information being handed over to friends, family or employers,’ he told Ross and Russel on radio station 3AW.
Medibank previously confirmed almost 500,000 health claims were stolen by the hackers, along with personal information, when the unnamed group hacked into its system weeks ago.
Around 9.7million current and former customers have been affected.
No credit card or banking details were accessed.
On Tuesday, the ransomware group posted to its blog that ‘data will be publish (sic) in 24 hours’.
‘P.S. I recommend to sell medibank stocks.’
The Australian Federal Police has expanded its joint initiative with state and territory police set up to investigate September’s Optus data breach to also target the Medibank hack.
‘Operation Guardian will be actively monitoring the clear, dark and deep web for the sale and distribution of Medibank Private and Optus data,’ AFP Assistant Commissioner Cyber Command Justine Gough said.
‘This is not just an attack on an Australian business.
‘Law enforcement agencies across the globe know this a crime type that is borderless and requires evidence and capabilities to be shared.’
Medibank apologised again to clients past and present. It advised customers to be alert for any phishing scams via phone, post or email.
‘We knew the publication of data online by the criminals could be a possibility but the criminals’ threat is still a distressing development for our customers,’ CEO David Koczkar said on Tuesday.
He said he was ‘devastated’ for customers, who ‘deserve privacy’, but said if Medibank gave in to the demands of the criminals it would make Australia a target for more such attacks.
‘This is a significant decision for the business and we’ve had extensive expert advice and the reality of that advice is that there was a small chance that paying a ransom – you can call it extortion – that it was very unlikely they may return customer data,’ Mr Koczkar told The Australian.
‘In fact, you just can’t trust a criminal.’
Mr Koczkar said not paying the hackers is ‘consistent with the government policy on paying ransom, so that’s why we’ve made the decision we have to not pay a ransom’.
Home Affairs Minister Clare O’Neil confirmed that Medibank’s decision not to pay a ransom to cyber criminals was in line with government advice.
She said she ‘doesn’t have words to express the disgust’ she feels over the leaking of people’s personal details.
‘The fact that personal health information is being held over their head is just disgusting to me,’ she said on Wednesday.
‘It just shows us that these cyber criminals who we are joined in a fight against between the Five Eyes (Australia, Canada, New Zealand, UK, US) and other friends of partners around the world, they are just disgraceful human beings and we need to step up and do everything we can to fight back against them.’
Ms O’Neil said she wants ‘Australia to be the most cyber-safe country in the world. The payment of ransoms directly undermines that goal.
‘The Australian government, after a wasted decade for digital reform, is stepping up on cyber security and ransomware … we see and recognise the urgent need to address the conditions that have allowed the two largest cyber attacks in our history to occur within the space of two months.’
Ms O’Neil also urged ‘people who may be affected to be on high alert for attempts by cyber criminals to extort individuals over their personal information.
‘Do not assume that anyone who contacts you has access to your data, or that paying a ransom will protect your data privacy.
‘Cyber criminals commit to undertaking actions in return for payment, but so often revictimise companies and individuals,’ she said.
Assistant treasurer Stephen Jones also blasted the hackers on Wednesday.
‘They’re scumbags, they’re crooks, they’re criminals and we shouldn’t be paying ransom,’ he told Sky News.
‘We shouldn’t be giving in to these fraudsters. The moment we fold it sends a green light to scumbags like them throughout the world that Australia is a soft target. We cannot give in and we won’t give in.’
Mr Jones said Australia needed to quickly lift protection against cyber threats.
Medibank is not alone in refusing to pay a ransom demand, with a recent report finding only 19 per cent of Australian companies responded to ransomware attacks by paying the fee.
Mimecast’s 2022 State of Ransomware Readiness report found 20 per cent of companies were asked to pay between $500,000 and $999,999 for their information.
Thirteen per cent of the businesses surveyed said the total cost of the ransomware attacks they’d experienced was between $1million and $2million.
At a Senate estimates hearing on Tuesday, Australian Federal Police commissioner Reece Kershaw told businesses to make sure they contact authorities as early as possible if they suspect a possible data breach.
With the FBI now helping the AFP track down those behind the Medibank and Optus data breaches, Mr Kershaw said investigating would be long and complex.
‘The longer it takes relevant agencies to be informed, the harder it is for perpetrators to be identified, disrupted or brought to justice,’ he told senators.
New privacy laws concerning data hacks passed in the federal parliament overnight.
The laws increase the maximum penalties for serious or repeated privacy breaches from the current $2.22million to whichever is the greater of: $50million; three times the value of any benefit obtained through the misuse of information; or 30 per cent of a company’s adjusted turnover in the relevant period.
The Bill provides the Australian Information Commissioner with increased powers to resolve privacy breaches and quickly share information about such breaches to help protect customers.
Deputy Liberal leader Sussan Ley called on Labor to release money put aside by the former Coalition government to bolster business defences against hackers.
‘Release the $60million of funding we had put aside in grants that would go towards organisations to make them more resilient in the face of cyber attacks,’ she told reporters.
‘We need a plan to address the concerns of everyday Australians, particularly when their sensitive health information has been leaked.’