A ransomware group with suspected ties to the infamous Russian-speaking REvil gang has threatened to release the personal information of millions of Medibank customers after Australia’s private health insurance company pledged it would not pay the cybercriminals’ ransom demands.
Medibank, Australia’s largest health insurer, first revealed a “cyber incident” on Oct. 13, saying at the time it detected unusual activity on its network and immediately took steps to contain the incident. Days later, the company said customer data may have been exfiltrated.
In an update Posted this week, Melbourne-based Medibank admitted that the attackers had access to about 9.7 million customers’ personal data, including names, dates of birth, email addresses and passport numbers.
The cybercriminals also had access to health claim data from nearly 500,000 customers, including names and locations of service providers, where customers received certain medical services, and codes related to diagnoses and procedures performed. For 5,200 users of Medibank’s My Home Hospital app, the cybercriminals had access to some personal and health claims and, for some, contact information for next of kin.
David Koczkar, CEO of Medibank, said that while the health insurance company believes the attackers likely exfiltrated all the data they had access to, the organization would not pay the ransom.
“Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance that paying a ransom will recover our customers’ data and prevent it from being published,” Koczkar said. The chief executive added that paying could even encourage the hackers to employ a triple extortion tactic by attempting to extort customers directly.
Following Koczkar’s announcement, a ransomware gang believed to be a rebrand of the defunct REvil group threatened to leak the stolen Medibank data. The new dark web leak site, seen by londonbusinessblog.com, listed Medibank as one of the victims and said it plans to make the exfiltrated data public. The gang did not say how much data it had exfiltrated from Medibank’s network and shared no evidence of its claims.
The links between the new leak site and REvil, which fell after US authorities shut down the operation in October after the gang targeted ransomware attacks on Colonial Pipeline, JBS Foods and US tech company Kaseya, remains unclear. Brett Callow, a ransomware expert and threat analyst at Emsisoft, said the new operation uses a variant of REvil’s file-encrypting website and that REvil’s old website now redirects to the new leak site.
Medibank described the gang’s threats as a “disturbing development”. second update published on Tuesday, urging customers to be vigilant with all online communications and transactions.
“We apologize to our customers. We take our responsibility to protect and support our customers seriously,” said Koczkar. “Weaponizing their private information is malicious and it is an attack on the most vulnerable members of our community .”
Medibank added that it is working with the Australian government, including the Australian Cyber Security Center and the Australian Federal Police, to try to prevent the sharing and selling of customer data. The news of the Medibank attack comes just weeks after Australia’s second-largest telco, Optus, was hacked. The Australian government has confirmed an upcoming bill that could put companies that fail to adequately protect people’s data risk fines of $50 million or more.