The health conditions and personal details of hundreds of Medibank customers, which may even include prime minister Anthony Albanese, have been published to a blog on the dark web by a Russian ransomware group, after the private health insurer refused to pay ransom.
The data was first dumped in the early hours of Wednesday morning, AEDT, along with a blog post where the alleged hackers said they were having trouble releasing the full load all at once, because the data was being stored in a “not very understandable format (tables dumps)”.
Videos by VICE
“We’ll continue posting data partially, need some time to do it pretty,” the hackers wrote. “We’ll continue posting data partially, including confluence, source codes, list of stuff and some files obtained from medi filesystem from different hosts.”
The data dump realises some of the worst fears felt by Medibank’s leadership, who in late October said that the data of all of the company’s 3.9 million customers had been hacked, including international student customers, and data belonging to customers of its partner health insurer, ahm.
In a statement to the Australian stock exchange late October, the medical insurer’s chief executive, David Koczkar, said the hack was a “terrible crime” designed to cause “maximum harm” to the most vulnerable members of the community. At the time, Koczkar said the company was negotiating with the hackers over what was believed to be more than 200 gigabytes worth of personal data.
During that same week, it was unclear just how many people were impacted by the hack, but that the data of at least 1,000 customers had been taken by the hackers, who showed it to Medibank leadership in an email exchange.
Just yesterday, the health insurer said that number had blown out to almost 500,000, including current and former customers.
Until earlier this week, Medibank was reluctant to rule out paying a ransom to the alleged hackers behind the hack, who are thought to be the Russia-backed ransomware group, REvil.
Around midnight last night, the group warned in a blog posted to “BlogXX” that it would start publishing customer records within 24 hours. “P.S. I recommend to sell medibank stocks,” they wrote.
In a blog post, the hackers published what they claimed to be some of their final negotiation emails with Medibank, which ended on November 7, the same day that the health insurer announced publicly that it wouldn’t cave to ransom demands.
On Wednesday, the private health insurer issued a statement confirming the data dump, which the company said “appears to be a sample of the data” which the insurer had already confirmed the group had hacked.
“The data includes personal data such as names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for agm customers (not expiry dates), in some cases passport numbers for our international students (not expiry dates), and some health claims data,” Medibank said in a statement.
“We expect the criminal to continue to release files on the dark web.”
As a result, the Australian Federal Police has launched an investigation into the hack called “Operation Palladius”, alongside separate investigations into the Optus hack, and MyDeal breach, which each affected more than 2 million customers.
Australia’s home affairs and cyber security minister, Clare O’Neil, called the Medibank hackers “disgraceful human beings”, who she suggested probably wouldn’t have stopped, even if Medibank did decide to pay the unknown ransom.
“I don’t have words to express the disgust I feel at crimes of this nature,” O’Neil said.
“The fact that people’s personal health information is being held over their head is just disgusting to me.”
Follow John on Twitter.
Read more from VICE Australia and subscribe to our weekly newsletter, This Week Online.