An extortionist has demanded millions of dollars to stop leaking Australians’ medical records in one of the country’s worst cyber attacks to date
The hacker said in a message published on the dark web early on Thursday that they were seeking $10 million from Medibank, the biggest private health insurance in Australia, for each of the 9.7 million clients impacted by a significant data breach last month.
Similar data leaks and attacks have been a common occurrence in the past few months, and this adds onto a growing list of systems and institutions under attack.
A “naughty list” was leaked earlier this week with sensitive details of clients who underwent treatment for addiction, mental health difficulties, and HIV. The cybercriminal or criminal organization also revealed information presumably linking people to their abortions.
Local media have made connections between the criminal organization REvil and the dark web forum where the data was posted. According to Russian authorities, REvil was shut down earlier this year at the United States’ request.
On Thursday, Medibank CEO David Koczkar reiterated an apology to consumers and called the hacker’s acts “disgraceful.”
Paying the ransom would not guarantee the return of clients’ information and might put “more people in danger by making Australia a bigger target,” according to cyber security experts. As such, Medibank has refused to do so, citing advice from cybercrime specialists.
The Australian Federal Police, which is looking into the incident, has issued a warning that accessing or even merely downloading the material could constitute a crime.
“We remain committed to fully and transparently communicating with customers and we will be contacting customers whose data has been released on the dark web…The weaponization of people’s private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community.”David Koczkar, CEO Medibank
According to Bloomberg Intelligence, if consumers decide to sue for damages after their personal medical information was posted to a forum on the dark web, the data breach at Medibank Private Ltd. might cost the Australian health insurer A$700 million ($450 million).
In a note published on Thursday, BI analyst Matt Ingram stated that “The award of customer damages is the key variable in the ultimate cost of Medibank’s data breach”. If 10% of the impacted consumers file a proposed class action lawsuit and receive the maximum A$20,000 in damages, the compensation bill may reach A$960 million, but BI’s base case is A$480 million, he said.
Additionally, the insurer may be subject to fines, and Ingram estimates that the $35 million charge Medibank has already raised would likely be more than doubled by the cost of rectifying the problem. These damages shouldn’t necessitate a capital raising, he said, even though they might deal a substantial hit to 2023 earnings.
This recent attack brings light to the critical issue of insecure digital infrastructure that gives hackers the room to hold states at ransom. Unless states cooperate to counteract these offenses we could be looking at situations far worse in the near future.