A ransomware group has started posting Medibank customer data on the dark web, days after the Australian health insurer announced it would not pay a ransom.
The initial dump, limited to a few hundred megabytes, was posted on a blog linked to the Russian ransomware group REvil overnight, after threats were made to release data on Tuesday.
The data includes hundreds of names, addresses, birthdates, Medicare numbers and hospital addresses posted as “good list” and “naughty list”.
Tech giants accuse Labor of ‘overreach’ over bill fining companies $50m for data breachesRead more
The alleged hacker said the data is currently stored in a “not very understandable format” of table dumps, and they will continue to post data partially.
“Need some time to do it pretty.”
Medibank has said 9.7 million current and former customers are affected by the breach. That includes 5.1 million Medibank customers, 2.8 million ahm customers, and 1.8 million international customers.
The insurer says health claims for about 160,000 Medibank customers, 300,000 ahm customers and 20,000 international customers were accessed. The information exposed includes service provider names and codes associated with diagnosis and procedures.
Sign up for Guardian Australia’s free morning and afternoon email newsletters for your daily news roundup
There were also 5,200 My Home Hospital patients who had their personal and health data accessed, and 2,900 next of kin of these patients who had some contact details accessed.
The hacker also posted screenshots of what they claimed were communications between themselves and Medibank over the release of the data. The last contact was on 7 November – the day Medibank publicly announced it would not pay the ransom.
Medibank confirmed that the files released appear to be the sample of data originally provided to the insurer by the hacker. The data includes Medicare numbers for ahm customers, some passport numbers for international students, and some health claims data, Medibank said.
“We expect the criminal to continue to release files on the dark web,” the company said in a statement on Wednesday.
The Medibank CEO, David Koczkar, apologised to customers.
“This is a criminal act designed to harm our customers and cause distress,” he said. “We take seriously our responsibility to safeguard our customers and we stand ready to support them.”
Medibank said customers should be vigilant that they might be targeted by scammers via phone, email or texts from unknown or suspicious numbers.
Koczkar told Guardian Australia on Monday paying a ransom could result in customers or other businesses being targeted.
“You just can’t trust the criminals. Our advice is that not paying the ransom will provide the best security for our customers and also other Australians,” he said.
Troy Hunt, a cybersecurity expert and founder of Haveibeenpwned.com, posted on Twitter that the release of the data was “as about as bad as we feared it would get”.
Medibank has said that not paying the ransom is in line with the advice of cybersecurity experts and the Australian government.
skip past newsletter promotion
Sign up to Afternoon Update
Free daily newsletter
Our Australian afternoon update breaks down the key stories of the day, telling you what’s happening and why it matters
The home affairs minister, Clare O’Neil, told the parliament in question time that she “cannot articulate the disgust I have for the scumbags who are at the heart of this criminal act.”
O’Neil said the government had been preparing for the eventuality of the data being published, and a “national coordination mechanism” had been put in place between Home Affairs and the Health Department, that includes protecting government data, coordinating with state police, working with those people who are affected, and providing mental health support and counselling.
She said both herself and the prime minister, Anthony Albanese, are Medibank customers.
The eSafety commissioner will also be included in the mechanism, and O’Neil urged the social media and traditional media companies not to publish personal information from the data.
“I have said before we are about five years behind where we should be with regard to cybersecurity and there is a power of work under way at the moment to change that. We are working hard to protect you and to protect our country.”
Cybersecurity company Sophos’ State of Ransomware 2022 report found that 46% of organisations who were hit with ransomware attacks chose to pay the ransom, but only 4% received all their data back unencrypted.
The Australian federal police announced on Wednesday that it would expand Operation Guardian – which was set up to protect the 10,000 Optus customers who had their personal information posted online earlier this year – to those Medibank customers exposed.
“Operation Guardian will be actively monitoring the clear, dark and deep web for the sale and distribution of Medibank Private and Optus data,” AFP assistant commissioner cyber command Justine Gough said in a statement.
“Law enforcement will take swift action against anyone attempting to benefit, exploit or commit criminal offences using stolen Medibank Private data.”
Gough also said people should not try to download or access the data themselves, saying it may constitute a criminal offence.
“We use the powers and authorities of all of our agencies to disrupt the sale and distribution of the unlawfully obtained data,’’ Gough said.
On Tuesday, the Australian federal police commissioner, Reece Kershaw, told Senate estimates that Operation Palladius had been launched to investigate the Medibank data breach. The agency also has separate investigations under way for the Optus and MyDeal data breaches.
“The AFP has invested significant resources into these investigations, which will be long and complex,” he said.