Medibank customers don’t know if their personal information is among what hackers leaked to the dark web overnight.
Key points:
- The ABC understands that the basic information of around 5 million Medibank clients has been published on the dark web
- A list dubbed “naughty” by hackers is said to include around a hundred people with high-profile surnames who have sought treatment for drug use or mental health problems.
- Medibank has warned customers that more data is likely to be leaked as it refuses to pay a ransom
It appears that cybercriminals have published what they have called “naughty” and “nice” lists of people prominent among the leaked data.
The ABC understands from multiple reliable sources that the “naughty” list includes about a hundred people, many with known last names, who have undergone treatment for drug or alcohol use, or for mental health problems such as eating disorders.
Sam Biondo, executive director of the Victorian Alcohol and Drug Association, said the disclosure of such private information could do a lot of harm to those affected.
“This was extremely concerning given the stigma associated with people who have problems with alcohol or drugs,” he told ABC News.
“They are vulnerable in many ways, since they have sought help for a problem that they have.”
ABC has been told that the information now on the dark web also includes raw and extremely limited information for around 5 million Medibank customers.
Medibank has admitted that the data of 9.7 million previous and long-standing customers was breached when hackers gained access to a database of its three brands: Medibank, its budget brand ahm, and its international student arm, ohm.
Cybersecurity expert Troy Hunt said it’s clear hackers have released a lot of personal data.
“It appears to be legitimate,” he told ABC News.
“I just saw someone tweet that the information they found there about themselves was accurate.
“I don’t know how many people are really affected by the data that has already been leaked. But several hundred megabytes of text is actually quite a lot of data.”
Medibank warned on Wednesday to expect more data leaks from cybercriminals as it continues to reject ransom demands.
‘Lack of communication’
Meanwhile, Medibank customers aren’t sure if any of their data is now in the public domain.
“Our team is working around the clock so that we can inform customers about their data that we believe has been stolen and remind them of available support,” Medibank CEO David Koczkar said on the social media platform LinkedIn.
“We have started analyzing the data posted on the dark web and will be contacting affected customers. This is a complex process and may take some time.”
However, former Medibank client Juliann Adriani is disappointed with the level of communication from the health insurer so far.
“What worries me a lot is the lack of communication, particularly with people who don’t have access to social media or email,” he told ABC News.
“My father is 81 years old and has not received a shred of correspondence from Medibank Private, despite being a valued customer for a long, long time.”
For Ms. Adriani, the lack of information has been very stressful, amid fears that she is vulnerable to identity theft as a result of the stolen data.
“A feeling of dread and fear of the unknown.”
Mohique Gajdhar has no idea if his data has been published, has not been contacted directly by Medibank and is concerned about the possible publication of his health data.
“Because it’s a very private thing and it shouldn’t have been leaked and it can be misused,” Gajdhar said.
“What prescriptions I take, what doctors I’ve been to, any medical procedures I’ve had, all of that data could be leaked.”
Like other international students, he was required to obtain private health insurance to study in Australia.
“We paid a considerable amount to Medibank,” he said.
“The federal government, the AFPs, everyone must ensure that this does not happen again and give guarantees to international students that their data will be safe.”
Australian Federal Police (AFP) Cyber Command Deputy Commissioner Justine Gough told reporters it was potentially illegal even for those who fear their details have been published online to access the leaked files to check whether their details They are there.
“They could be committing crimes themselves, because there are some privacy considerations and privacy laws that could be being broken,” he warned.
‘scum of the earth’
Prime Minister Anthony Albanese is one of the millions caught up in the data breach.
“This is very difficult for people. I am also a client of Medibank Private and it will be a cause for concern if some of this information has been published,” she said at a press conference on Wednesday morning.
“The company has followed the guidelines effectively. The advice is not to participate in a ransom payment. If you go down this path, you’ll end up with more difficulties potentially at a wider range.
“But we will, through [home affairs minister] Clare O’Neil, please reply at length on this. We are concerned and will continue to monitor what is happening.”
The AFP said it has stepped up Operation Gatekeeper, in conjunction with state and territory police, to try to protect customer data.
“Overnight, when the information was illegally posted online, AFP took immediate action, including implementing covert techniques,” said Ms Gough.
“AFP Cyber Command investigators are working with public and private sector agencies to scour the Internet and known criminal online sites to identify those who buy or sell personally identifiable information.
“It is a crime to buy stolen information online, which could carry the penalty of up to 10 years in prison. It is also a crime to blackmail and minister to clients.”
Adriani hopes that AFP will locate the people behind the hack.
“I think they’re just the lowest scum on earth, basically,” he said.
“I don’t know what would drive someone to do this. Other than being really horrible people.”
Circle of law firms with class action
Medibank revealed on Monday that the data, which includes the name, date of birth, address, telephone number and email address, of almost 10 million current and former customers were exposed and may have been robbed.
But he rejected the criminal’s ransom demand that the health insurer received.”several weeks ago“.
Koczkar said the ransom amount was “irrelevant” and that paying would only increase the risk of further extortion.
The hacker also accessed the health claims of about 160,000 Medibank customers, about 300,000 offshoot ahm customer claims, and about 20,000 international customers.
But bank and credit card details and primary identity documents of local customers were not accessed, the company said.
Meanwhile, two law firms, Bannister Law and Centennial Law, are investigating the terms of the contracts that health insurance provided to clients and whether damages are appropriate.
They believed Medibank betrayed customers and broke the Privacy Act by failing to stop the hack.
No case has yet been brought before a court.
All Medibank and ahm customers have been urged to contact the company’s cyber response hotlines by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or through a information page on the company website.
Medibank said its customers can also speak to experienced and qualified mental health professionals on the phone 24/7 for mental health or wellness advice or support (1800 644 325).
.