Hackers behind the infamous Medibank data breach have published what appears to be the remaining datasets gathered from the incident on their blog, saying it was “case closed” after the health insurer refused to pay a ransom.
An update appeared on the hacker’s blog in the early hours of Thursday morning which read “Happy Cyber Security Day!!! Added folder full. Case closed.”
The remaining zipped files are around 5GB in size.
In a statement on Thursday morning, Medibank said it was still sifting through the files but that it “appears to be” the stolen data.
“While our investigation continues there are currently no signs that financial or banking data has been taken,” the health insurer said.
“And the personal data, in itself, is not sufficient to enable identity and financial fraud. The raw data we have analysed today so far is incomplete and hard to understand.”
Government Services Minister Bill Shorten was speaking on ABC Radio National when the news broke, and described the final data dump as “shocking”.
“The people who’ve hacked Medibank are absolute criminal low-lives,” he said.
“If people think any government ID has been in any way breached, contact us. When it comes to things like your Medicare card, we will replace it.”
The hack originated in Russia, according to the Australian Federal Police (AFP) which pointed the finger at Russian cyber criminals following the hackers’ publication of data that included sensitive information about mental health diagnoses and treatments.
The government announced a Joint Standing Operation Against Cyber Criminal Syndicates – with the not-so-catchy initials JSOACCS – to hack the hackers.
Home Affairs Minister Clare O’Neil said Australia’s “smartest and toughest people” would “hunt down the scumbags who are responsible for these malicious crimes against innocent people”.
For a time, the government’s offense appeared to have worked when the hackers’ blog briefly disappeared before coming back online soon after.
‘As bad as it gets’
Chair of the Australian Computer Society (ACS) Cyber Security Committee Louay Ghashash said that even though the hackers have indicated they are ridding themselves of the data, the saga is not over.
“This is as bad as it could get,” he told Information Age.
“Now there are other entities who can access that data to contact customers, or to threaten them – especially given the nature of medical data.”
Medibank confirmed in late October that all of its 9.7 million customers’ data had been ransacked in the incident, including dates of birth, phone numbers, email addresses, and health claims all accessed by the bad actors.
Ghashash said the advice for Medibank and AHM customers remains the same: be vigilant of any accounts that may have been tied to the health insurers, change credentials like passwords of those associated accounts, use multi-factor authentication, and update identification like Medicare numbers or drivers licences if they were impacted.
What he would like to see now is greater transparency from Medibank, and all organisations who suffer severe cyber incidents, around what measures they are taking to improve data security.
“I would like to see more transparency about what they are doing to minimise future impact of breaches,” Ghashash told Information Age.
“Simply saying things like they’re going to do better is not enough. They don’t have to give specific details about exactly what systems they’re implementing but at the moment I don’t know what Medibank has done to ensure this doesn’t happen in future and that concerns me.”
Ghashash wants assurances that data encryption will be improved and less data will be held on Medibank’s systems in the wake of the breach.
He said Optus has set a good example by promoting the use of Mastercard’s Digital ID service for customer verification.
The Optus breach notably saw passport, drivers license, and Medicard numbers leaked which the telco said had been stored for verification and identification purposes.
