Australian health insurance giant Medibank has warned customers that the ransomware group behind last month’s breach has started to leak data stolen from its systems.
The attackers, linked to the REvil cybercrime gang, have leaked a wide range of information so far, including Medibank customers’ private and health data and, according to WhatsApp screenshots, negotiation chats with the health insurer’s security operations team and CEO David Koczar.
Medibank said that there’s no evidence the cybercriminals have gained access to financial information (credit card and banking details), health claims data for extras services (like dental, physio, optical, and psychology), or primary identity documents (e.g., driver’s licenses).
It also alerted its customers today that the threat actors have published online files “believed to have been stolen” from its network, adding that it expects the extortionists to continue releasing stolen data on their dark web leak website.
“This data includes personal data such as names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for ahm customers (not expiry dates), in some cases passport numbers for our international students (not expiry dates), and some health claims data,” the company said.
“The files appear to be a sample of the data that we earlier determined was accessed by the criminal. We expect the criminal to continue to release files on the dark web.”
The Australian Federal Police is investigating this cybercrime.
— Medibank (@medibank) November 9, 2022
Today’s warning comes after Medibank said in a press release published on Monday, November 7, that it would not pay a ransom demand made by the attackers.
“Today, we’ve announced that no ransom payment will be made to the criminal responsible for this data theft,” Medibank said.
“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.”
Data of millions of customers likely stolen
On October 26, the health insurance provider revealed that the hackers accessed some of its customers’ data, even though it initially said it had no evidence of customer info accessed or stolen by the attackers.
On Monday, before the cybercriminals started leaking data to back their claims and force Medibank into negotiating a deal, the company also disclosed that millions of customers had their information accessed by the hackers.
The data Medibank believes was exposed in last month’s breach includes the following:
Name, date of birth, address, phone number, and email address for approximately 9.7 million current and former customers and authorized representatives
Medicare numbers (but not expiry dates) for ahm health insurance (ahm) customers
Passport numbers (but not expiry dates) and visa details for international student customers
Health claims data for roughly 480,000 Medibank, ahm, and international customers
Health provider details, including names, provider numbers, and addresses
However, according to Medibank “given the nature of this crime, unfortunately we now believe that all of the customer data accessed could have been taken by the criminal.”
Customers warned to pay attention online
“We will continue to work around the clock to inform customers of what data we believe has been stolen and any of their data included in the files on the dark web and provide advice on what customers should do,” the insurer said on Wednesday.
“Medibank is working with the Australian Government, including the Australian Cyber Security Centre and the Australian Federal Police. The Australian Federal Police is investigating this cybercrime.”
As Medibank warned, customers should be vigilant online and take the following measures to block any attack attempts:
Being alert for any phishing scams via phone, post, or email
Verifying any communications received to ensure they are legitimate
Not opening texts from unknown or suspicious numbers
Changing passwords regularly with ‘strong’ passwords, not re-using passwords, and activating multi-factor authentications on any online accounts where available
Medibank will never contact customers asking for passwords or sensitive information
Medibank is one of the largest private health insurers in Australia, providing private health insurance and services to more than 3.9 million people.