Add Category
Medibank has confirmed that more stolen customer data has been released on the dark web, amid reports the hackers have released all files remaining in their possession.
Key points:
- Medibank has confirmed that further stolen customer data has been released
- The hackers have commented "case closed" on their post describing the latest release
- Cyber security experts say it remains unclear as to whether all the stolen data has now been uploaded
The health insurer has steadfastly refused to pay the ransom demanded by hackers that illegally accessed the data of millions of customers, with the cyber criminals to this point drip-feeding sensitive customer information onto the dark web.
Cybersecurity threat analyst Brett Callow from Emsisoft tweeted at 3:14am AEDT noting that the Medibank hackers had posted more data along with the statement, "Added folder full. Case closed."
"Whether this means they've now released all the data that was stolen, and what they plan to do with any data that hasn't been released, is unclear," Mr Callow tweeted.
In a statement this morning, Medibank said it was still analysing the information, but confirmed that the data released appeared to be data it believed the criminals had stolen.
Data 'incomplete and hard to understand'
It said the release consisted of six zipped files but that much of the data is incomplete and hard to understand.
It added that health claims data released today had not been joined with customer name and contact details.
Medibank said the data stolen, by itself, should not be sufficient to enable identity and financial fraud against affected customers.
However, past data releases have exposed sensitive information around some Medibank customers' medical treatment claims.
"Again, I unreservedly apologise to our customers," said the company's chief executive David Koczkar in the statement.
"We remain committed to fully and transparently communicating with customers and we will continue to contact customers whose data has been released on the dark web."
All Medibank and ahm customers seeking more information have been urged to contact the company's cyber response hotlines by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or through an information page on the firm's website.
Medibank said its customers could also speak to experienced and qualified mental health professionals 24/7 over the phone for advice or support around mental health or wellbeing (1800 644 325), or contact Lifeline, Beyond Blue or their GP.
Cyber security 'wake-up call'
Security experts say the "wake-up call" provided by Optus and Medibank is reverberating across corporate Australia.
"We're seeing a much more heightened interest in enhancing security measures," said Nik Devidas.
"But also a better understanding of data governance frameworks, that is: 'What data do we actually hold?'"
Mr Devidas is the managing director of Rock IT, a company that provides cyber security and helpdesk services.
He said businesses both large and small need to keep educating their staff to reduce the risk.
"People remain the weakest link. Research shows that it's far easier to socially engineer someone for credentials rather than hack into systems."
"Businesses should be building a secure culture," he argued, pointing to the difference between simple security measures and processes that build resilience to counter ongoing threats.
"Resilience recognises things can and will go wrong, and focuses on business continuity, minimising disruption and enabling a rapid recovery."
The other issue is that companies have been creating problems for themselves by being unaware of all the data they are collecting, and storing information they do not need.
"Companies should now be evaluating the types of data they request and hold," he said.
This can be as simple as discovering what sensitive information a company holds, who has access to it, and if data that is no longer needed can be deleted.
Law firm launches claim
Class action specialist law firm Maurice Blackburn has announced that it has lodged a "representative complaint" against Medibank with the Office of the Australian Information Commissioner (OAIC).
The law firm said the OAIC has the power to not only fine Medibank for privacy breaches but also to potentially order the company to compensate customers.
It is alleging that Medibank failed in its duties by failing to take reasonable steps to protect the privacy of its customers' personal information and sensitive health information from interference, loss, unauthorised access and unauthorised disclosure.
"The right to privacy is a fundamental human right, and the representative complaint to the Australian Information Commissioner offers an avenue of redress to the millions affected by this incident," said Maurice Blackburn principal lawyer Andrew Watson in a statement.
"We cannot undo the damage that has been caused in this data breach, but we can ask the commissioner to investigate the data breach and seek compensation from Medibank on behalf of those affected, including for financial or non-financial loss, such as humiliation, stress, and feelings of anxiety."
Loading form...