Extortionist threatens to release Australian customer data
CANBERRA, Australia (AP) — An extortionist has threatened to release Medibank customer data within 24 hours after Australia’s largest health insurer refused to pay a ransom for the personal records of nearly $10 million. current and former customers.
Medibank on Monday ruled out paying a ransom for the stolen data. The theft was reported to police on October 19 when trading in the company’s shares was halted for a week.
The thieves reportedly threatened to expose the diagnoses and treatments of prominent clients unless a ransom of an undisclosed sum was paid.
“Based on extensive advice we have received from cybercrime experts, we believe there is only a limited chance of paying a ransom to secure the return of our customers’ data and prevent it from being published,” Medibank CEO David Koczkar said in a statement.
« In fact, paying could have the opposite effect and encourage the criminal to extort our customers directly and there is a good chance that paying will put more people at risk by making Australia a bigger target, » Koczkar added. .
A blogger using the name « Extortion Gang » posted on the dark web late Monday that « data will be released (sic) in 24 hours. »
“PS, I recommend selling shares of medibank (sic),” the blog added.
The message did not include sample data that could prove the author had the data. But Medibank took the threat seriously on Tuesday.
« We knew that the criminal’s publication of data online could be a possibility, but the threat of the criminal is still a painful development for our customers, » Koczkar said.
Koczkar urged customers to remain vigilant and warned that the criminal may contact them directly.
Medibank this week updated its estimate of the number of people whose personal information was stolen from 4 million two weeks ago to 9.7 million. The stolen data included health claims from nearly 500,000 people, including diagnoses and treatments, the company said.
“The weaponization of their private information is malicious and an attack on the most vulnerable members of our society,” Koczkar said.
Cybersecurity Minister Clare O’Neil welcomed Medibank’s stance, saying its refusal to pay a ransom was in line with her government’s advice.
Medibank revealed this week that a hacker stole a company employee’s username and password to access the customer database.
At least two law firms have said they are investigating a potential class action lawsuit against Medibank for failing to protect customer data.
Medibank’s share price fell nearly 3% in early trading Tuesday on the Australian Security Exchange following data release threats and lawsuits.
Rod Mcguirk, The Associated Press