Medibank has confirmed that data released overnight by a hacker group is real, meaning that hundreds of the company’s customers have had their names, addresses, phone numbers, passport numbers, health claims data and other personally identifiable information exposed online for anyone to see.
The data — posted after Medibank refused to pay a ransom — also appears to include information on Medibank staff and international students, screenshots of negotiations with the hacking group, and even the company CEO David Koczkar’s mobile phone number.
On Wednesday morning, Medibank responded to the hacker group after it posted a dump of data when the midnight deadline for a ransom payment wasn’t met.
“The files appear to be a sample of the data that we earlier determined was accessed by the criminal,” the Medibank statement said.
The group posted “a small part of the data” to its dark web blog and promised more to come in the future.
“We’ll continue posting data partially, need some time to do it pretty,” it said.
The group said it would publish data beyond just customer data, such as information from Confluence, a software product used by companies to share data internally, and source code of Medibank software.
Have I Been Pwned creator and cybersecurity expert Troy Hunt said the data leaked was “extraordinarily sensitive”.
“This is about as bad as we feared it would get,” he tweeted.
The group posted two lists labelled “good-list” and “naughty-list” with data on 198 customers. Beyond personally identifiable information, the data also includes health provider names along with codes for diagnoses and procedures.
Crikey was unable to independently confirm the legitimacy of the Medibank customers’ contact details after calling dozens of phone numbers. Many of the phone numbers are no longer operational or don’t belong to the people they’re listed for. (This doesn’t disprove the legitimacy of the data. There are many reasons why this reporter was unable to confirm them ranging from the company possessing old data to luck.)
Other information includes spreadsheets with what appears to be basic information about tens of thousands of international students and the phone numbers and device IDs of hundreds of Medibank staff’s phones.
The data posted also includes what appears to be screenshots of email and text message negotiations between the hacking group and Medibank staff. These started in October with the original ransom note and ended on November 7 when a Medibank staff member told the group they would not pay the ransom.
The group even included a screenshot of a WhatsApp contact listed as belonging to company CEO David Koczkar and messages sent to him.
“HI! As your team is quite shy, we decided to make the first step in our negotiation,” they wrote on October 18.
The authenticity of the negotiation screenshots, Medibank staff and international student information has not been specifically confirmed by the company.
Home Affairs and Cybersecurity Minister Clare O’Neil shared a list of steps to take for those affected by the hack on Twitter.
“If you’re a Medibank or AHM customer, it’s important to be extra vigilant,” she said.
We’ve been continually told it’s OK for (insert name) to hold digital information about us, that our privacy concerns were not valid. Another version of gaslighting.
It is notable that Medibank as an insurance company, didn’t take out hacker cover because “insurance was too expensive”.
Granted a company shouldn’t pay the ransom because the hackers would simply ask for more, but we’re not talking one person’s files, we’re talking a lot of ID data to fake an entire person that’s now getting drip fed to however many other unscrupulous parties right now
Gonna be a lot of very angry and frightened people spending top dollar to redo all their ID is medibank going to pay for that?
Hopefully this is the impetus for parliament taking data privacy seriously and crafting new laws that help to protect individual data and punish companies (and their boards) for failures to comply. This stuff is disruptive to such a degree that there are grounds for taking strong protective measures.
It feels like Australian parliament has sleepwalked into this issue, and we’re all suffering the consequences.
Paying a ransom doesn’t help anyone, except encourage more extortion. Welcome to the digital age. How much corporate monies go into an extortion fund I wonder.
I would rather Medibank say no and save me a little on their extortionate fees. If they had paid, I would have walked away as a member.
PS: selling off Medibank Private for a quick buck by the NeoLibs was the biggest slap in the face in my opinion – it’s their infrastructure that was handed over. I’d start worrying about all government software now.