Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Hacker publishes Australian health insurer's customer data

An extortionist has fulfilled a threat by publishing Medibank client data

Rod McGuirk
Wednesday 09 November 2022 00:53 GMT
Australia Cybersecurity
Australia Cybersecurity (Copyright 2022 The Associated Press. All rights reserved.)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Medibank client data was published by an extortionist Wednesday, including details of individuals' medical procedures, after Australia’s largest health insurer refused to pay a ransom for the personal records of almost 10 million current and former customers.

The release of information on the dark web appeared to be a sample of the data that Medibank had previously determined had been stolen last month, a company said. Medibank expected the thief would continue releasing data.

“This is a criminal act designed to harm our customers and cause distress,” Medibank CEO David Koczkar said in a statement that reiterated a previous apology to customers.

“We take seriously our responsibility to safeguard our customers and we stand ready to support them,” he added.

Prime Minister Anthony Albanese, who is a Medibank customer and has had personal data stolen, welcomed the company’s refusal to pay the hacker to have the records returned.

“This is really tough for people. I’m a Medibank Private customer as well and it will be of concern that some of this information has been put out there,” Albanese told reporters, referring to a Medibank brand.

“The company has followed the guidelines effectively, the advice, which is to not engage in a ransom payment. If you go down this road, then you end up with more difficulties potentially across a wider range,” Albanese added.

The thieves had reportedly threatened to expose the diagnoses and treatments of high-profile customers unless a ransom of an undisclosed amount was paid, but Medibank decided there was “only a limited chance” that a ransom would prevent the data being published.

A blogger using the name “Extortion Gang” posted Monday night on the dark web that “data will be publish (sic) in 24 hours.”

Medibank this week updated its estimate of the number of people whose personal information was stolen from 4 million two weeks ago to 9.7 million. The stolen data included health claims of almost 500,000 people including diagnoses and treatments, the company said.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in