The cybercriminals behind the Medibank ransomware attack have published what appears to be the rest of the data stolen from the Australian health insurance company.
The attackers, believed to have ties to the Russian-backed REvil ransomware gang, posted an update to their dark web blog in the early hours of Thursday morning saying, “Happy Cybersecurity Day!!! Folder full added. Case closed.”
The dark web blog was down at the time of writing, but according to Medibank, the “full” folder contained six compressed raw data files. At over six gigabytes in size, the cache is much larger than any of the attackers’ previous Medibank leaks. Medibank confirmed in November that the attackers had captured 9.7 million customer personal data and health claims data from nearly 500,000 customers.
Medibank’s cybercriminals previously published data including customer names, dates of birth, passport numbers, medical claim information, and sensitive files related to abortions and alcohol-related illnesses. Parts of the data londonbusinessblog.com has seen also appear to include correspondence between the cybercriminals and David Koczkar, CEO of Medibank, including a message in which the hackers threaten to leak “credit card decryption keys,” despite Medibank’s claim that there are no bank or credit card details. approached.
The cybercriminals claimed they published the data after Medibank refused to pay their $10 million ransom demand, which was later reduced to $9.7 million, or $1 per affected customer.
Medibank said Thursday it is analyzing the latest leaked data, but said it “appears to be the data we thought the criminal stole.”
“While our investigation continues, there are currently no signs that any financial or banking information has been compromised,” said Medibank. “And the stolen personal data alone is not enough to enable identity and financial fraud. The raw data we have analyzed so far is incomplete and difficult to understand.”
While the hackers are believed to have released all of the data stolen from Medibank, the company added that it expects “the criminal to continue releasing files on the dark web.”
The Australian health insurance giant is urging customers to be vigilant with all online communications and transactions and to be alert to phishing scams related to the breach. Medibank added that this week it added two-factor authentication to its contact centers to verify customer identities to bolster its security.
As Medibank takes steps to strengthen its cybersecurity, the company could face major financial sanctions after the Australian parliament this week passed legislation paving the way for companies facing fines of up to $50 million for repeated or serious data breaches.
Australia’s data and privacy watchdog, the Office of the Australian Information Commissioner (OAIC) on Thursday announced that it had launched an investigation into Medibank’s handling of personal information. The OAIC – which is also investigating the recent Optus breach – said its investigation will focus on whether Medibank took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorized access, alteration or disclosure.
“If the investigation reveals serious and/or repeated breaches of privacy in breach of Australian privacy law, the Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each violation,” the OAIC said.
News of the investigation comes after the Australian Federal Police (AFP) said in November it knew the identities of those responsible for the attack on Medibank. The agency declined to name the individuals, but said police believe those responsible for the breach are based in Russia, although some branches may be in other countries. The Russian embassy in Canberra denied the allegations.
While their identities remain unknown, the attackers responsible appear to be already moving forward with the Medibank hack. In recent days, the group has posted new victims to its dark web blog, including New York-based medical group Sunknowledge Services and the Kenosha Unified School District.