Fraud Management & Cybercrime , Geo-Specific , Incident & Breach Response

Medibank Hackers Dump Stolen Data on the Dark Web

Australian Information Commissioner Will Investigate Insurer's Security Practices
Medibank Hackers Dump Stolen Data on the Dark Web
Image: Medibank

The Russia-based ransomware gang behind the hack of Australia's largest private health insurer says it posted a full set of stolen data even as analysis by Medibank called the data incomplete and difficult to understand.

See Also: Cybersecurity Checklist: 57 Tips to Proactively Prepare

Hackers posted raw Medibank data in six zipped files of more than 5 gigabytes in a folder called "full."

In a statement, Medibank said that health claims data has not been joined with name and contact details.

The October hack has affected 9.7 million current and former customers, including 1.8 million foreigners residing in Australia.

The ransomware gang behind the hack began leaking information after Medibank CEO David Koczkar declined on principle to negotiate with the hackers (see: Medibank Says No to Paying Hacker's Extortion Demand).

An investigation by Australian Federal Police is ongoing and there are currently no signs that hackers stole financial or banking data.

Cybersecurity Minister Claire O'Neil released a joint statement with Attorney-General Mark Dreyfus calling the data dump an anticipated development. "The release of such sensitive and personal data is morally reprehensible," they said.

The Australian Information Commissioner announced it had initiated a separate investigation into the personal information handling practices of Medibank.

The primary focus of the investigation will be on whether Medibank took reasonable steps to protect the personal information it held.

If the OAIC privacy commissioner finds "serious and/or repeated interferences with privacy," Medibank could face fines up to AU$2.2 million for each violation.

The Australian Parliament on Monday approved legislation increasing the maximum penalties for serious or repeated corporate privacy breaches from the current $AU2.22 million to whichever is the greater of $AU50 million, 30% of adjusted turnover or three time the value of any corporate benefit obtained through the misuse of information.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.