Medibank customers are still unsure if any of their personal information was among those leaked onto the dark web by hackers overnight.
Key points:
- The ABC understands that basic information of about 5 million Medibank customers has been published on the dark web
- A list branded as “naughty” by hackers reportedly includes around 100 people with high-profile last names who have sought treatment for drug use or mental health issues.
- Medibank has warned customers that more data is likely to leak as it refuses to pay a ransom
It appears that the cybercriminals published what they called “naughty” and “nice” lists of prominent people among the leaked data.
The ABC includes multiple reliable sources that the “naughty” list includes around 100 individuals, many with well-known last names, who have undergone treatment for drug or alcohol use, or for mental health such as eating disorders.
Sam Biondo, chief executive of the Victorian Alcohol and Drug Association, said disclosing such private information could cause great harm to those affected.
“It was extremely concerning given the stigma associated with people who have alcohol or drug problems,” he told ABC News.
“They are vulnerable in many ways, given that they have sought help for a problem that they have.”
The ABC has been told that the information currently available on the dark web also includes raw and extremely limited information for approximately 5 million Medibank customers.
Medibank has admitted that the data of 9.7 million past and former customers was breached when hackers gained access to a database of its three brands: Medibank, its economy brand ahm, and its international student arm, ohm.
Cybersecurity expert Troy Hunt said it was clear that a lot of personal data had now been released by the hackers.
“It seems legit,” he told ABC News.
“I just saw someone tweet that the information they found about themselves was accurate.
“I don’t know how many people are actually affected by the data that has already been leaked. But several hundred megabytes of text is actually quite a bit of data.”
Medibank warned on Wednesday that it expects further data leaks from cybercriminals as it continues to deny ransom demands.
‘Lack of communication’
Meanwhile, Medibank customers don’t know if any of their data is now in the public domain.
“Our team is working around the clock so that we can notify customers of their data that we believe has been stolen and remind them of the assistance available,” Medibank Chief Executive David Koczkar said on the social media platform. LinkedIn.
“We have started analyzing data posted on the dark web and will be contacting affected customers. This is a complex process that may take some time.”
However, long-time Medibank customer Juliann Adriani is disappointed with the level of communication from the health insurer so far.
“What worries me a lot is the lack of communication, especially with people who don’t have access to social media or email,” she told ABC News.
“My father is 81 and has not received any correspondence from Medibank Private, although he has been a valued client for a very, very long time.”
For Ms Adriani, the lack of information has been very stressful, amid fears she may be vulnerable to identity theft due to the stolen data.
“A feeling of dread and fear for the unknown.”
Mohique Gajdhar does not know if his data has been published, has not been contacted directly by Medibank and is concerned about the possible publication of his health data.
“Because it’s a very private thing and shouldn’t have been disclosed and can be misused,” Gajdhar said.
“What prescriptions I take, what doctors I’ve seen, any medical procedures I may have had, all of that data could be leaked.”
Like other international students, he had to take out private health insurance to study in Australia.
“We pay a significant sum to Medibank,” he said.
“The federal government, AFP, everyone should make sure this doesn’t happen again and reassure international students that their data will be safe.”
Australian Federal Police (AFP) Cyber Command Deputy Commissioner Justine Gough told reporters it was potentially illegal, even for those who fear their details have been published online, to access the files. disclosed to check if their contact details are there.
“They could commit crimes themselves, because there are privacy considerations and privacy laws that could be violated,” she warned.
‘Scum of the Earth’
Prime Minister Anthony Albanese is among the millions implicated in the data breach.
“It’s really difficult for people. I’m also a client of Medibank Private and it will be concerning that some of this information has come out,” he said at a press conference on Wednesday morning.
“The company followed the guidelines effectively. The advice is not to engage in the payment of a ransom. If you go this route, you end up with more difficulty, potentially on a wider range.
“But we are going, through [home affairs minister] Clare O’Neil, answer this topic at length. We are concerned and will continue to monitor what is happening. »
AFP said it has stepped up Operation Guardian, working with state and territory police, to try to protect customer data.
“Overnight, when information was illegally disseminated online, AFP immediately took action, including using covert techniques,” Ms Gough said.
“AFP Cyber Command investigators work with public and private sector agencies to scour the Internet and known criminal websites to identify those buying or selling personally identifiable information.
“It is an offense to buy stolen information online, which can result in a sentence of up to 10 years in prison. It is also an offense to blackmail and serve customers.”
Ms Adriani hopes AFP will find the people behind the hack.
“I think they’re just the bass scum of the earth, basically,” she said.
“I don’t know what would make anyone do that. Besides being really horrible people.”
Law firms circle class action lawsuit
Medibank revealed on Monday that data, which includes the name, date of birth, address, phone number and email address, of nearly 10 million current and former customers has been exposed and may have been stolen.
But she rejected the criminal’s ransom demand that Medicare received “several weeks ago.”
Mr Koczkar said the ransom amount was “irrelevant” and paying would only increase the risk of further extortion.
The hacker also accessed the health claims of around 160,000 Medibank customers, around 300,000 claims from ahm subsidiary customers and around 20,000 international customers.
But bank and credit card details and key identity documents of local customers were not consulted, the company said.
Meanwhile, two law firms, Bannister Law and Centennial Law, are investigating the terms of the contracts the medical insurance provided to clients and whether the damages are appropriate.
They believed Medibank betrayed its customers and broke the Privacy Act by failing to stop the hack.
No case has yet been filed with a court.
All Medibank and ahm customers were asked to contact the company’s cyber response hotlines by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or via an information page on the website Company website.
Medibank said its customers can also speak to experienced and qualified mental health professionals 24/7 for mental health or wellbeing advice or assistance (1800 644 325 ).
#Vulnerable #ways #Hackers #target #highprofile #addiction #mental #health #patients #data #breach