The Russian hackers alleged to be at the centre of a major hack of Australia’s largest health insurer Medibank have followed through with threats to leak private health data belonging to Australian customers on the dark web.
Medibank refused to pay a ransom demanded by the hackers, fearful that doing so would encourage further hacks. It would also have run contrary to the Australian government’s policy relating to online criminal threats, something that Home Affairs Minister Clare O’Neil confirmed.
In response, the hackers began by posting a Super Mario meme to taunt Medibank swiftly followed by the posting of names, addresses, birth dates, and other Medicare data such as gender and internal codes that list a person’s diagnosis and treatment (although crucially not banking information) on a “naughty and nice” list.
Medibank has confirmed that its entire database with 9.7 million customers was impacted by the hack. Of those, 5.1 million are Medibank customers, 2.8 million belong to AHM (health insurance branch), and the final 1.8 million are international customers.
The hackers have said that there will be more information released—possibly with a preference for Australian celebrities—but they need “more time” due to the awkward formatting of the data in its original table-based format.
Originally, it was also reported that some health information had been removed although it is not clear yet to what, if any, extent that has occurred.
Proving themselves to be “eloquent,” the hackers said: “We’ll continue posting data partially, need some time do it pretty.”
The hack is a serious criminal matter and no doubt the ransomware group will continue to leak information online in the hope of a payout—if not from Medicare, then maybe from the celebrities they target.
Revealing addresses and phone numbers is not only a violation of privacy, but it is also extremely dangerous for vulnerable people who have moved away from abusive partners and presents a safety risk for celebrities.
Stuck Between a Rock and a Hard Place
The only thing that Medibank could do was apologise. Even if they paid the ransom, it comes with no guarantee in the Wild West of online hacking that the data would be secured.
“We knew the publication of data online by the criminal could be a possibility but the criminals’ threat is still a distressing development for our customers,” added Medibank CEO David Koczkar, who has a nightmare scenario on his hands including the leaking of his personal phone number from screen-shotted text messages with the hackers.
Later, speaking to The Australian newspaper, Koczkar added: “This is a significant decision for the business and we’ve had extensive expert advice. And the reality of that advice is that there was a small chance that paying a ransom—you can call it extortion—that it was very unlikely that they may return customer data. In fact, you can’t trust a criminal.”
The home affairs minister has stood behind Medibank and its decision.
“The fact that personal health information is being held over their head is just disgusting to me. It just shows us that these cyber criminals who we are joined in a fight against between the Five Eyes and other friends of partners around the world, they are just disgraceful human beings and we need to step up and do everything we can do fight against them,” Minister Clare O’Neil said.
“They’re scumbags, they’re crooks, they’re criminals, and we shouldn’t be paying ransom,” added Assistant Treasurer Stephen Jones. “We shouldn’t be giving in to these fraudsters. The moment we fold it sends a green light to scumbags like them throughout the world that Australia is a soft target. We cannot give in and we won’t give in.”
Moves to Speed Up State-Backed Digital ID Rollout
Cyber hacking of this sort is nothing new. In the last few years, medical information has become the leading target for attacks, no doubt due to the increased weight that governments and businesses are attaching to public health.
There are genuine concerns that hacking incidents, such as what happened to Medibank and telecommunications giant Optus, are going to be used by governments as an excuse to race through global Digital Identity policies.
Domestically, Australia’s version is called the “Trusted Digital Identity Bill” which encourages the mass collation and sharing of data—combining, for the first time, social, health, banking, business, and telecommunications data under one government roof.
Evidence that this is occurring continues to mount, first after the Optus attack (still under criminal investigation with the Australian Federal Police and America’s FBI) with the Australian Financial Review writing “Optus fiasco must kickstart the federal Digital ID scheme” which puts the responsibility on the government to create a unified digital profile for all Australians.
If it were to go ahead, the next time the government is hacked, thieves won’t only walk away with names and addresses, they’ll have an entire human profile and security pass.
Would a Digital ID solve the hacking problem for businesses?
That is also unlikely, given that businesses will almost certainly need to continue storing localised data in their systems to operate. Even sending out payment bills requires the retention of names, addresses, and phone numbers.
“The Australian government, after a wasted decade for digital reform, is stepping up on cyber security and ransomware … we see and recognise the urgent need to address the conditions that have allowed the two largest cyber attacks in our history to occur within the space of two months,” said the Home Affairs Minister O’Neil.
One of the only things protecting the government from similarly severe cyber hacks is its archaic, disassociated, and anonymised data which is so old and clunky that hackers often walk away with meaningless dust rather than data.
A brand new, easy-to-read, collated digital gold mine in the Digital ID program would change that. It’s a whistle to every hacker in the world.
In the wake of the hack, Medibank’s share price took a dive while class action suits assemble against the company.
There is increasing evidence that the hackers are Russian, possibly related to a group that had previously disbanded due to Russian authorities cracking down on them.
Given the state of geopolitics with many Western nations involved in a proxy war with Russia via Ukraine, bringing hackers to justice this time appears to be a distant hope if they are based overseas.
As for customers, they are left with some difficult decisions to make in order to protect their safety.