This article is more than 1 year old
Medibank prognosis gets worse after more stolen data leaked
Plus Australia launches an investigation into insurer's data privacy practices
Australian health insurer Medibank's prognosis following an October data breach keeps getting worse as criminals dumped another batch of stolen customer data on the dark web.
The miscreants, believed to be linked to Russia's REvil ransomware gang, posted what they claimed to be the rest of the exfiltrated data on Thursday, adding: "Case closed."
Medibank said it's still analyzing the leaked data, which includes six "sipped files in a folder called 'full' containing the raw data that we believed the criminal stole."
"Much of the data is incomplete and hard to understand," the insurance giant said. "For example, health claims data released today has not been joined with customer name and contact details."
Medibank previously confirmed that crooks stole data belonging to nearly 10 million of its current and former customers. The insurance giant has refused to pay a ransom to the extortionists.
"Based on the extensive advice we have received from cyber crime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published," CEO David Koczkar said in a stock market filing published last month.
The stolen customer info made public in the latest data dump appear to be "personal data," not financial information, and "is not sufficient to enable identity and financial fraud," according to Medibank's Thursday admission.
Despite the criminals' "case closed" claims, "we expected the criminal to continue to release files on the dark web," it added.
Also on Thursday, Australia's data protection agency formally launched an investigation into Medibank's data privacy and security practices that led to the breach.
"The OAIC's investigation will focus on whether Medibank took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure," the Office of the Australian Information Commissioner said in a statement on its website.
"The investigation will also consider whether Medibank took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs)," it added.
If the data privacy agency finds "serious and/or repeated" privacy-related offenses, it may seek civil penalties up to $2.2 million for each violation.
The hits keep on coming
The health insurer first admitted to an attack on October 13. At the time it said it had taken down systems that run two sub-brands as a precaution, but that no customer data had been accessed at either those brands or Medibank itself.
About a week later it pedaled back the earlier assessment and said the crooks had been in contact to negotiate a deal to get the patient data back. At this point Medibank said 100 records were revealed by the data thieves – some including information about medical treatments customers had undergone.
By the end of October, this health insurance giant had disclosed that "personal data and significant amounts of health claims data" was stolen across all three brands.
- Australia to 'stand up and punch back' against cyber crims
- Australia blames Russia for harboring health insurance hackers
- Breached health insurer won't pay ransom to protect customers, warns of more attacks
- Health insurer's infosec incident diagnosis goes from 'take a chill pill' to emergency ward
Last month the Australian Federal Police (AFP) pointed to Russia as the location of the attackers who breached Medibank — but stopped short of attributing the ransomware attack to REvil — and just days later the government vowed to "stand up and punch back" against the cyber criminals.
To this end, Australia announced a joint operation between the AFP and Australian Signals Directorate (Australia's GCHQ/NSA analog) tasked with investigating and disrupting cybercrime syndicates. Ransomware gangs, the task force said, will receive top priority for takedown.
Minister for Home Affairs and Cyber Security Clare O'Neil said the operation will "scour the world, hunt down the criminal syndicates and gangs who are targeting Australia in cyber-attacks, and disrupt their efforts." ®