Add Category
Cybercriminals continue to drip feed stolen Medibank customer data, in a move experts say appears to be designed to "incite fear".
Key points:
- Cyber security experts said more support is needed for victims of the Medibank hack
- Affected customers have called for changes to data retention laws
- There are also calls for the payment of ransoms to be illegal
In a chilling message posted on the dark web yesterday, the hackers released sensitive details of customers' medical procedures and said it had demanded $US1 ($1.60) for each of Medibank's 9.7 million customers.
The personal information of more than 5 million customers has been released so far, Medibank has confirmed.
Glen Arrowsmith is one of them.
He was horrified to find out the extent of the stolen information about him that had been leaked.
"I was shocked to find out four previous addresses, phone numbers, medical details all out there," Mr Arrowsmith said.
"And I'm not even a customer of Medibank anymore."
The hackers linked to a Russian entity followed through with a threat to start publishing data yesterday after Medibank refused to pay the ransom on Monday.
Medibank has confirmed a third round of stolen customer data had been released on the dark web overnight.
About 240 customers had been affected by the latest breach, which reveals health records, including conditions related to the harmful use of alcohol.
That follows yesterday's illegal release of Medibank data including information linking hundreds of customers to pregnancy terminations.
There were slightly more than 300 files in that release on the website that has been connected to a Russian-backed criminal entity.
Medibank is emphasising that people may have had terminations for a range of reasons, including ectopic pregnancy, miscarriages and complications.
The private health insurance provider is advising people not to seek out the data, and has described the ongoing release of information as "deplorable".
Hackers trying to 'incite fear'
Professor Monica Whitty, the head of the department of software systems and cybersecurity at Monash University, said the hackers appeared to be drip feeding the release of customer data to cause more harm.
"They may be trying to incite fear to try and change the decision of the company," Ms Whitty said.
"But there's also the second, that 'look we are going to make good with what we promised if you don't give us money' so then when they do another attack, maybe they will be more profitable the next time."
Medibank has set up a cyber support program for customers affected by the data breach disaster, which includes a counselling hotline, mental health outreach service, hardship support and identity protection advice.
However, Ms Whitty said there should be more help available for victims.
"The government needs to do that, they need to provide support for victims of these crimes," she said.
"These people are victims of cyber, and they're not being treated as such."
Calls for privacy laws overhaul
Mr Arrowsmith works in cyber security and has called for an overhaul of Australia's data retention laws.
The federal government is reviewing privacy laws and has proposed increasing fines for data breaches from $2.2 million to $50 million.
He said currently companies just accept the risk of data breaches and budget for it accordingly.
"[The] cybersecurity insurance I think should be an industry that doesn't exist."
Mr Arrowsmith has also called for the payment of ransoms to be outlawed in Australia.
It is not currently illegal in Australia to pay a ransom for a cyber attack.
"Australia needs to put in laws in place to prevent any future Australian companies from paying ransomware. So we send a clear message that Australia is not worth targeting. Because you cannot get any money out of us," Mr Arrowsmith said.
A spokesman for Attorney-General Mark Dreyfus' office said any new law would require a change to the criminal code.
“The government’s very strong advice is that companies not pay ransoms," the spokesman said.
“Given recent events the government is reviewing all issues surrounding data privacy.”
Loading form...