Some of the stolen Medibank customer data has been leaked online after Australia’s largest health insurance provider refused to pay a ransom to hackers.
Here’s the latest.
Are hackers really releasing Medibank data on the dark web?
Medibank has confirmed information it believes was stolen from their systems has been posted to a dark web forum.
Like millions of other Australians, my family was caught up in the Medibank breach & today we’re learning our personal data is on the dark web. Our worst data breach nightmares are playing out in real time, as our existing laws & data protection systems are no match for hackers.
— David Shoebridge (@DavidShoebridge) November 9, 2022
So far the data released includes names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers and in some cases passport numbers and health claims data.
The group says it will continue to post more data in coming days.
Why are they releasing the information?
The group had demanded an unknown amount of money from Medibank in exchange for not releasing the data.
Medibank won’t say how much the hackers wanted, only that the ransom was made a few weeks ago.
The deadline to pay was midnight on Tuesday.
Why didn’t Medibank just pay the ransom?
The amount of money the hackers demanded is “irrelevant”, according to Medibank chief executive David Koczkar.
Loading Twitter content
Both he and cyber security minister Claire O’Neil say paying the ransom could potentially put more Australians at risk, with no guarantee the data would even be returned.
Paying the money “only fuels the ransomware business model”, says Ms O’Neil.
So, what happens now?
The FBI is helping the Australian Federal Police (AFP) track down those responsible for both the Medibank and Optus data breaches.
Operation Guardian – the AFP investigation set up after 10,200 Optus customer records were published online – has so far made one arrest, a 19-year-old from Sydney.
He’s since pleaded guilty to blackmail, but he’s not the person who initially leaked the information.
Beyond that, the investigation is continuing, with AFP cybercrime assistant commissioner Justine Gough saying they’re “aggressively pursuing all lines of inquiry”.
But how did we get to this point?
Medibank first alerted the public to the breach on 13 October – at the time it said there was no evidence sensitive data had been accessed.
On 19 October, it issued a statement saying it had been contacted by a criminal group claiming to be hackers. The group sent a sample of 100 records believed to be from Medibank’s system.
The breach is estimated to cost Medibank between $25 million and $35 million, but they haven’t yet estimated how much they may spend to compensate customers.
They’ve also delayed planned premium increases until 16 January 2023.
Medibank is now also facing a possible class action lawsuit, with two law firms investigating Medibank’s contracts and determining whether customers are entitled damages.
No case has been filed.
How do I know if my personal data has been accessed?
Every Medibank, ahm and international student customer’s personal data, and a “significant amount” of health-claims data was compromised.
This means about four million current and former customers across all three brands are at risk.
If you’re concerned your data may have been breached, contact the company’s cyber response hotlines by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or via their information page.
What else can I do?
Stay vigilant for possible scams. Medibank says it will never contact customers requesting passwords or other sensitive information.
Loading YouTube content
Medibank has started a dedicated cyber crime support package, including:
- a hardship package to provide financial support for customers who are in a uniquely vulnerable position as a result of this crime, who will be supported on an individual basis
- access to Medibank’s mental health and wellbeing support line for all customers, including ahm customers
- access to specialist identity protection advice and resources from IDCARE
- free identity monitoring services for customers who have had their primary ID compromised
- reimbursement of fees for reissue of identity documents that have been fully compromised in this crime.
Are there other ways I can protect myself from hackers?
Website HaveIBeenPwned will let you see whether your mobile number and email address have appeared in recorded data breaches.
You can also check your credit reports to see whether someone has tried to apply for credit in your name. The Office of the Australian Information Commissioner says there are three main reporting bodies:
- Equifax, which provides free credit reports every three months
- illion, which doesn’t charge for credit reports. Once you’ve created a free account, you can go on as often as you like
- Experian, which provides free credit reports every three months.
Even if nothing comes up on these sites, it doesn’t necessarily mean you’re in the clear. You should keep an eye out for any unusual banking activity, suspicious messages and updates from the hacked company.
You should also change your passwords, lock your SIM card, apply for a credit ban and opt for multi-factor authentication where you can.
2020 Australian Broadcasting Corporation. All rights reserved.
ABC Content Disclaimer