The Medibank data breach impacting 9.7 million customers is approaching a climax, as the ransomware group that was denied a $15 million ransom pay-out has started publishing client data on the dark web.
The data was allegedly posted to a blog belonging to the group, and includes hundreds of purportedly stolen names, addresses, birthdates and sensitive Medicare details.
The hackers also posted screenshots of what appears to be private messages between the group and Medibank representatives.
This latest spate of developments kicked off when, on 7 November, Medibank announced it would not pay any ransom demand for this data theft incident.
In a direct response to Medibank's announcement, a ransomware group posted a bizarre dark web announcement which warned the leaked data would be published within 24 hours.
The ransom group, which some cyber crime researchers are dubbing "BlogXX", had reportedly demanded a ransom from Medibank under the threat of releasing the data – clashing with Medibank's firm stance against paying ransom demands.
After a reported midnight deadline passed and the ransom remained unpaid, 'BlogXX' took to publishing its first sets of stolen data.
Medibank said it was aware of this latest development and that the files posted on the dark web forum appeared to be a sample of the data it had previously determined was accessed by the criminal.
Furthermore, Medibank pointed out the data released by the criminal(s) included some cases of passport numbers (not expiry dates) for international students, Medicare numbers (not expiry dates) for ahm customers and, notably, some health claims data.
The health insurer has also confirmed among the approximate 9.7 million current and former customers affected thus far, nearly 500,000 health claims were accessed by the hackers during the attack.
"We expect the criminal to continue to release files on the dark web," said Medibank.
"We will continue to work around the clock to inform customers of what data we believe has been stolen and any of their data included in the files on the dark web and provide advice on what customers should do."
PM caught in breach, government quick to respond
Medibank has continuously worked with the Australian Government, the Australian Cyber Security Centre, and the Australian Federal Police over the past month – and the health insurer says its decision to forego a ransom was "consistent with the position of the Australian Government".
Prime Minister Anthony Albanese, who today revealed he is in fact a customer of Medibank Private, said "the company has followed the guidelines effectively, the advice, which is to not engage in a ransom payment."
"This is really tough for people,” said Albanese, "I am a Medibank Private customer as well, and it will be of concern that some of this information has been put out there."
The prospect of the Prime Ministers' details being exposed on the dark web is serious, as is the risk presented to the approximate 9.7 million other Australians affected by this breach.
Still, government voices are advocating Medibank's decision to forego any ransom pay-outs, indicating a ransom payment could exacerbate the issue of rampant cybercrime.
"Cyber criminals cheat, lie and steal," said Cyber Security Minister Clare O'Neil before the stolen data was published online.
"Paying them only fuels the ransomware business model. They commit to undertaking actions in return for payment, but so often re-victimise companies and individuals," she added.
In Parliament, O'Neil said "I cannot articulate the disgust I have for the scumbags who are at the heart of this criminal act.
"Based on information that we have at this moment, the number of citizens whose medical information may have been compromised is small at this stage," she added.
"But I want the Australian people to understand that that is likely to change.
"We are going through a difficult period now that may last for weeks, possibly months, not days and hours."
After 'BlogXX' leaked its data, both O'Neil and Minister for Government Services, Bill Shorten, shared a help sheet for affected customers.
"Unfortunately, all customers need to be extra vigilant during this time," he said.
Federal Police expands Operation Guardian
In response to these latest developments, the Australian Federal Police (AFP) has expanded Operation Guardian to assist affected Medibank customers.
"Today the AFP has expanded Operation Guardian to protect Medibank customers whose personal information has been unlawfully released online by ransomware criminals," said AFP Assistant Commissioner Cyber Command Justine Gough.
Operation Guardian, a joint initiative with state and territory police launched in September this year, was originally set up as a protective measure for Optus customers whose identification credentials were leaked during the landmark Optus data breach.
Now, the AFP has expanded Operation Guardian to protect customers of Medibank whose "personal information has been unlawfully released online by ransomware criminals".
"I know today there will be Medibank Private customers who will feel exposed, embarrassed and fearful because of the deeply personal information that has been stolen and dumped on the dark web," said Gough.
She warned cyber criminals that the AFP took immediate action in response to the overnight release of Medibank data, including the undertaking of "covert techniques".
Gough further revealed investigators within AFP's cyber command are working to "scour the internet" and identify buyers or sellers of personal identification information.
"It is an offence to buy stolen information online, which could include the penalty of up to 10 years imprisonment," she said.
"It is also an offence to blackmail and menace customers."
Recently, a 19-year old Sydney man pleaded guilty to trying to blackmail Optus customers after he was arrested and charged by the AFP.
"The AFP has significant powers within its remit, including legislation that precludes the AFP from revealing when those powers are in use.
"Those powers are a chilling reminder to hackers and those who will attempt to piggyback off those criminals that the AFP will relentlessly pursue them," said Gough.
After providing a stern warning to both hackers and opportunistic cyber criminals, Gough urged impacted Medibank customers to reach out if they are at risk.
"This is not just an attack on Australian business," she said.
"To the customers impacted by this latest breach, please do not be embarrassed to contact police through ReportCyber if a person contacts you online, by phone or by SMS threatening to release your data unless payment is made.
"Please call 000 if you believe you are at imminent risk," she added.
The AFP also reports the AFP-led Operation Pallidus, which is focused on the criminal Medibank data breach, is working alongside Commonwealth agencies and 'Five Eyes' Law Enforcement partners, including the FBI.
Looming lawsuits and more to come
Medibank continues to monitor the situation and provide updates as they occur, but for the time being, the alleged hacker group shows no signs of withdrawing.
Medibank said customers should be vigilant with all online communications and transactions, and should remain alert for any phishing scams via phone, post, or email.
“We unreservedly apologise to our customers," said Medibank CEO David Koczkar.
“We take seriously our responsibility to safeguard our customers and we stand ready to support them,” he said.
In the meantime, two law firms are signalling potential class action lawsuits against the health insurer, after they voiced a belief Medibank had "betrayed customers" and breached the Privacy Act by not stopping the hack. No case is yet to be filed with a court.