Medibank CEO David Koczkar accused the hacker behind Medibank’s ongoing data leaks of “enjoying the notoriety” his crimes are bringing.
It’s the hackers’ third release in three days, this time revealing the private health records of 241 Australians in an online ransomware forum.
The data file in this case targets a particular alcohol-related medical diagnosis, and the victims are from across Australia.
In posting this new data, the hackers also posted an update to their message that appears to respond to strong language used yesterday by Federal Cyber Security Minister Claire O’Neil in Parliament, saying “You say that’s disgusting (wow- wow), we publish some data, but we warn you, we always keep our word.
“If we did not receive a ransom, we should publish this data, because no one will believe us in the future. The same goes for our words, that we would not publish any data in the future, if we receive ransom payments.”
“We never lie, it doesn’t make any sense, if we lie to someone, no one will consider you a serious business side.
“Imagine what wave of scam your customers would get after that, how much would you invest to cover the damages.”
Koczkar said he offered an “unqualified” apology to customers.
“The continued publication of this stolen data on the dark web is disgraceful,” he said.
“Unfortunately, we expect the criminal to continue posting stolen customer data every day.
“The relentless nature of this tactic used by the criminal is designed to cause distress and harm.
“It is obvious that the offender enjoys notoriety. Our sole focus is the health, well-being and care of our clients.”
It follows the release last night of highly confidential information about clients facing termination of non-viable pregnancies.
Medibank has continued to follow the advice of experts and the government, which has been not to pay the ransom.
The hacker forum contains a lot of previous leaks, and the hackers’ words today indicate that they are coordinated in their attacks with the previously demanded $15 million ransom payment as their ultimate goal.
Today’s data release brings the total number of personal health care details released to 741, out of an estimated 480,000 that Medibank says hackers have gained access to.
The names, addresses, personal contact details and Medibank numbers of the remaining 9.2 million victims have been exposed, but not their health records.
Cyber Security Minister Clare O’Neil said yesterday that she called Medibank chief executive David Koczkar and made clear the community’s expectations about the support the insurer should provide.
Medibank repeatedly apologized to customers and condemned the release of information.
It offers multiple support services, including identity protection, counseling, and a support hotline for people left “uniquely” vulnerable by the attack.
“We remain committed to fully and transparently communicating with customers and will contact customers whose data has been published on the dark web,” Koczkar said this morning.
O’Neil also issued a warning to hackers.
“What has happened here is morally reprehensible and it is criminal,” he said.
“I want the bastards behind this attack to know that the smartest, toughest people in this country are after them.”
It was also revealed yesterday that the hack may have exposed the Virgin Frequent Flyer numbers of thousands of members, who were temporarily blocked from accessing their accounts or redeeming travel points while the airline generates new numbers for them.
This latest development comes as Optus reveals that its data breach will cost at least $140 million, including costs to replace hacked identity documents.