Hackers who stole a trove of data from one of Australia’s biggest private health insurers are drip-feeding sensitive details of customers' medical diagnoses and procedures, including abortions, onto the dark web.
The leaks started flowing on Wednesday, as the hackers—who contacted Medibank in late October to reveal they’d stolen 200 gigabytes of the health insurer’s customer data—followed through on their threat to publish the information unless they were paid a ransom of $9.7 million. The cybercriminals have now revealed that figure was based on a ransom demand of $1 per customer.
The tranches of stolen data are being published on the ransomware group’s blog as downloadable files titled “good-list” and “naughty-list.” Thus far, the leaks have included information relating to patients’ home addresses, phone numbers, and passport numbers, as well as details about health conditions such as alcohol abuse, anxiety, cannabis dependence and opioid addictions. The so-called “naughty list” is said to include high-profile figures’ private health claims relating to drugs or mental health issues.
In the latest leak on Thursday night, the names of more than 300 Medibank customers were uploaded under a file named “Abortions.csv” That file reportedly included a spreadsheet with 303 patients' details alongside billing codes relating to pregnancy terminations—including non-viable pregnancy, miscarriage, and ectopic pregnancy.
“Society ask us about ransom, it's a 10 millions USD (A$15.5 million). We can make discount 9.7m (A$15 million) 1$ (A$1.60)=1 customer,” read a post on the blog.
Medibank has confirmed that, as of Friday, the personal information of more than five million customers has been released.
Addressing the media on Friday afternoon, Australian Federal Police (AFP) commissioner Reece Kershaw said that authorities believe the hackers responsible for the cyber theft are from Russia, saying “our intelligence indicates that [they’re] a group of loosely affiliated cyber criminals who are likely responsible for past significant breaches in countries across the world.”
“These cyber criminals are operating like a business with affiliates and associates who are supporting the business,” he added. “We also believe that some affiliates may be in other countries.”
The Australian Broadcasting Corporation reports that authorities suspect the perpetrators are members of the notorious Russian cyber criminal gang REvil, and that while the group is not considered part of the Russian state, it operates with the protection of President Vladimir Putin.
Some of the group’s more notable exploits include the May 2021 cyberattack on the Colonial Pipeline that led to widespread gas shortages on the East Coast of the U.S., the attack on software company Kaseya—which paralyzed as many as 1,500 companies—and an attack on JBS Foods, the world’s largest meat supplier, who paid the hackers $11 million.
The Russian Federal Security Service (FSB) claimed to have dismantled REvil in January, following raids on 25 different locations across Moscow, St. Petersburg, and Lipetsk that resulted in the arrest of 14 people allegedly involved with the cyber gang’s operations. The FSB said in a statement at the time that 20 luxury cars, 426 million rubles, $600,000 and Є500,000 were seized during the raids.
Kershaw said on Friday that while authorities believe they know who the individuals responsible for the Medibank hack are, he would not be naming them.
“What I will say is that we'll be holding talks with Russian law enforcement about these individuals,” he said, noting that as part of INTERPOL, Russia has an obligation to help bring the cybercriminals to justice. “Russia benefits from the intelligence-sharing and data shared through INTERPOL, and with that comes responsibilities and accountability.”
He also reiterated that “the Australian government policy does not condone paying... ransoms to cyber criminals” and that doing so “fuels a cybercrime business model.”
Medibank released a public statement on Monday morning declaring that “no ransom payment will be made to the criminal responsible for this data theft.”
“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” the health insurer stated. “In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers.”
The Medibank hack follows a string of unrelated cyber attacks against Australian corporations in recent weeks and months, as citizens’ data have come under siege from hackers. These have included attacks on telecommunications provider OPTUS, supermarket chain Woolworths, and even the AFP’s own classified documents, which exposed agents working to stop international drug cartels.
Follow Gavin Butler on Twitter.