NCA NewsWire / Paul Jeffers

An extortionist has demanded millions of dollars to stop leaking Australians’ medical records in one of the country’s worst cyber attacks to date

The hacker said in a message published on the dark web early on Thursday that they were seeking $10 million from Medibank, the biggest private health insurance in Australia, for each of the 9.7 million clients impacted by a significant data breach last month.

Similar data leaks and attacks have been a common occurrence in the past few months, and this adds onto a growing list of systems and institutions under attack.

A “naughty list”  was leaked earlier this week with sensitive details of clients who underwent treatment for addiction, mental health difficulties, and HIV. The cybercriminal or criminal organization also revealed information presumably linking people to their abortions.

Scott Barbour / Getty Images

Local media have made connections between the criminal organization REvil and the dark web forum where the data was posted. According to Russian authorities, REvil was shut down earlier this year at the United States’ request.

On Thursday, Medibank CEO David Koczkar reiterated an apology to consumers and called the hacker’s acts “disgraceful.”

Paying the ransom would not guarantee the return of clients’ information and might put “more people in danger by making Australia a bigger target,” according to cyber security experts. As such, Medibank has refused to do so, citing advice from cybercrime specialists.

The Australian Federal Police, which is looking into the incident, has issued a warning that accessing or even merely downloading the material could constitute a crime.

“We remain committed to fully and transparently communicating with customers and we will be contacting customers whose data has been released on the dark web…The weaponization of people’s private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community.”

David Koczkar, CEO Medibank

According to Bloomberg Intelligence, if consumers decide to sue for damages after their personal medical information was posted to a forum on the dark web, the data breach at Medibank Private Ltd. might cost the Australian health insurer A$700 million ($450 million).

In a note published on Thursday, BI analyst Matt Ingram stated that “The award of customer damages is the key variable in the ultimate cost of Medibank’s data breach”.  If 10% of the impacted consumers file a proposed class action lawsuit and receive the maximum A$20,000 in damages, the compensation bill may reach A$960 million, but BI’s base case is A$480 million, he said.

Additionally, the insurer may be subject to fines, and Ingram estimates that the $35 million charge Medibank has already raised would likely be more than doubled by the cost of rectifying the problem. These damages shouldn’t necessitate a capital raising, he said, even though they might deal a substantial hit to 2023 earnings.

This recent attack brings light to the critical issue of insecure digital infrastructure that gives hackers the room to hold states at ransom. Unless states cooperate to counteract these offenses we could be looking at situations far worse in the near future.

You May Also Like

Leak Reveals Samsung Galaxy S23 will Launch with Limited Color Options

A new leak reveals that Galaxy S23 will be released in only…

A Closer Look at S23 Ultra Camera Setup: The Leak

The Main sensor is a 200-MP sensor, while the Selfie camera dropped…

Intel’s 13th Gen Core-i5 13600HX Mobile CPU Leaked

Intel’s upcoming Core i5-13600HX is currently under evaluation.

S23 FE to come with Last Year’s Chipset

S23 FE will come in H2 2023 with Snapdragon 8+ Gen 1…