Extortionist threatens to publish Australian customer data
An extortionist has threatened to make Medibank customer data public within 24 hours after Australia’s largest health insurer refused to pay a ransom for the personal records of almost 10 million current and former customers
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.An extortionist has threatened to make Medibank customer data public within 24 hours after Australia’s largest health insurer refused to pay a ransom for the personal records of almost 10 million current and former customers.
Medibank on Monday ruled out paying ransom for the stolen data. The theft was reported to police Oct. 19 when trade in the company’s shares was halted for a week.
The thieves had reportedly threatened to expose the diagnoses and treatments of high-profile customers unless a ransom of an undisclosed sum was paid.
“Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Medibank CEO David Koczkar said in a statement.
“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” Koczkar added.
A blogger using the name “Extortion Gang” posted Monday night on the dark web that “data will be publish (sic) in 24 hours.”
“P.S. I recommend to sell medibank (sic) stocks,” the blog added.
The post did not include data samples that could prove the author held the data. But Medibank on Tuesday took the threat seriously.
“We knew the publication of data online by the criminal could be a possibility, but the criminal’s threat is still a distressing development for our customers,” Koczkar said.
Koczkar urged customers to remain vigilant and warned that the criminal could contact them directly.
Medibank this week updated its estimate of the number of people whose personal information had been stolen from 4 million two weeks ago to 9.7 million. The stolen data included health claims of almost 500,000 people including diagnoses and treatments, the company said.
“The weaponization of their private information is malicious and it is an attack on the most vulnerable members of our society,” Koczkar said.
Cybersecurity Minister Clare O’Neil welcomed Medibank’s stance, saying its refusal to pay a ransom was in line with her government’s advice.
Medibank revealed this week that a hacker stole a company employee’s username and password to access the customer database.
At least two legal firms say they are investigating a potential class-action lawsuit against Medibank for failing to protect customer data.
The price of Medibank shares fell almost 3% in early trade Tuesday on the Australian Security Exchange following threats of data publication and lawsuits.