Medibank health insurance company branch showing refusal of ransom payments led to leak of health data on dark web

Medibank Refuses Ransom Payments, Hackers Leak Stolen Health Data to Dark Web

The recent breach of Medibank has resulted in the leak of millions of health data records to the dark web, as the company opted to ignore demands for ransom payments. About 9.7 million records were stolen, but thus far only a small fraction have been published by the criminals.

The incident, combined with a recent string of similar mass data breaches, has Australia’s government discussing the possibility of banning ransomware payments. This would be a major break from the status quo, as nations have largely shied away from payment bans at the national government level.

Massive data breaches prompt discussion of ban on ransom payments

Though the data of 9.7 million current and former customers was stolen, it is still not entirely clear how detailed the average record was. It is known that some records included Medicare numbers, passport numbers and visa details, and about half a million health claims were taken. However, some records may have been limited to basic contact information such as home and email addresses and phone numbers.

Medibank CEO David Koczkar said that the company believed making ransom payments would offer only a “limited chance” of keeping the health data of customers off of the dark web, and that the payments would encourage attackers to persist in their criminal enterprises. Medibank has warned its customers that this means their health data may be made available to anyone via the dark web, and that the data may be used by criminals to contact them with scam attempts.

The attack on Medibank came during a period of roughly a month and a half in which major companies in Australia were heavily targeted, and a number of successful breaches yielded mass amounts of sensitive data. Other companies that lost millions of records to attacks during this time include telecommunications giant Optus and retailer Woolworths; a number of other companies lost tens to hundreds of thousands of records during this wave of criminal activity.

The attackers that demanded ransom payments from Medibank are believed to have ties to the now-defunct REvil gang, which sat on top of the ransomware world in 2021. Some members of the gang were arrested as international law enforcement coordinated to neutralize the group, but others are believed to have scuttled away to start their own new operations using similar tools and tactics.

The hackers had initially threatened to be selective in their release of health data if the ransom payments were not made, and they appear to be keeping that promise. Security researchers note that the early trickle of records includes high-profile politicians, as well as records of seemingly more obscure victims that are coded with a diagnosis of drug or alcohol addiction. The group seems to think that a trickle of some of the most potentially embarrassing or sensitive information will pressure Medibank into reconsidering its position on ransom payments. Its next big threat is to drop health data of patients that have had abortions.

The group also claims that it stole encrypted credit card numbers in the raid, and will leak them along with keys for decrypting them. Medibank disputes this, saying that it sees no evidence of financial information being accessed. The attackers have already moved to selling access to the records piecemeal, asking for $1 for access to one record. The Australian police have warned that downloading the samples of data could be regarded as an offense and met with charges.

Failure to protect sensitive health data could bring fines, class action suits

Medibank’s decision to not pay up may become the law of the land, as the Department of Home Affairs is now floating the possibility of outlawing ransom payments to curb the rising problem. Minister Clare O’Neil expressed support for Medibank’s decision, and said that the department would be looking at a ban as a “long-term” possibility.

There is no commitment at this point beyond “having a look,” but if Australia made this move it would be virtually alone among its Five Eyes intelligence partners. Certain US states have forbidden government agencies from making payments, but the country as a whole has appeared to commit to allowing private sector ransom payments in the interest of giving hard-pressed businesses that are caught unprepared a shot at avoiding financial ruin.

Australia has recently proposed changes to its privacy laws, however, and new penalties could mean that whatever Medibank saved on ransom payments could be going toward fines levied due to the loss of sensitive health data. Allowed amounts are in the tens of millions of dollars at maximum. Two law firms, Bannister Law Class Actions and Centennial Lawyers, are also investigating the possibility of class action suits due to failure to adhere to the terms of their privacy policy and to keep up their end of contracts with customers.

Rebecca Moody, head of data research at Comparitech, says that global trends are actually moving away from ransom payments, at least according to what companies are willing to publicly admit: “According to the data collated through our Worldwide Ransomware Tracker, just less than 18 percent of ransom demands have been paid (where companies confirm whether or not they have paid). However, companies are far more likely to confirm they haven’t paid than if they have as many feel admitting to paying ransoms leaves them exposed to future attacks.”

Medibank is offering impacted customers a “cyber response support package” that includes reimbursement of fees if a customer opts to replace a government ID due to its appearance in the stolen health data. The company is also offering some form of “hardship support” and resources and counseling for identity protection.