Stolen data from an Australian health insurer, including the names, addresses and dates of birth of hundreds of customers, was posted to a forum on the so-called dark web.
Stolen data from an Australian health insurer, including the names, addresses and dates of birth of hundreds of customers, was posted to a forum on the so-called dark web.
The files appear to be a sample of the data that was accessed, Medibank Private Ltd. said in a statement on Wednesday. The company expects more data to be released, after earlier this week said hacker exposed information of about 9.7 million people.
The disclosure of personal information comes after a series of data leak in Singapore The Optus unit of Telecommunications Ltd. in September, disclosed the details of about 10 million customers. Other recent attacks against the pathology provider Australian Clinical Labs Ltd. and Woolworths Ltd subsidiary MyDeal. has raised concerns that Australian companies are not doing enough to protect customer data.
The hackers warned early Tuesday that they would release the data within 24 hours, a day after the Melbourne-based company said it would not pay the ransom because it would only encourage crime. further offense. The leaked data contained details of about 100 clients including treatments for cannabis addiction, alcohol abuse, anxiety and drug use, the Australian Financial Review reported.
By Medibank data breach could cost the company more than AU$200 million ($129 million), according to Bloomberg Intelligence analysts Matt Ingram and Jack Baxter. The health insurer has delayed raising premiums for affected customers, which could cost affected policyholders between A$500 and $20,000, analysts said.
Shares of Medibank rose 0.7 per cent in afternoon Sydney trading on Wednesday. Shares have fallen about 20% since the hack was first discovered just under a month ago, wiping around AU$2 billion from the company’s market value.
Josh Lemon, who teaches cybersecurity at the SANS Institute, said the first batch of leaks and further posting threats could be designed to pressure Medibank into paying the ransom.
“Unfortunately, paying a ransom does not always guarantee that data will not be released or sold to other cybercriminals,” Lemon said. “I don’t believe paying the ransom at this stage will do more than delay the rate at which data is released.”
Interior Minister Clare O’Neil said Medibank’s decision not to pay ransoms to cybercriminals was in line with government advice.
“Paying them just fuels the ransomware business model,” O’Neil said. “They commit to taking action in return for payment, but so often leave companies and individuals victimized.”
“Under no circumstances should Medibank consider paying a ransom,” said Troy Hunt, who runs the breach tracking website. “Their views on this are correct and reflect the government’s position on cybercrime and ransom.”
The Australian Federal Police operation Guardian, originally established to protect victims of the Optus data breach, will be expanded to include victims of the Medibank hack, Assistant Commissioner Justine Gough said on Wednesday.
The government on Wednesday also passed legislation increasing fines for repeated or serious privacy violations to at least A$50 million.
“The significant privacy breaches in recent weeks show that current protections are outdated and inadequate. This bill makes clear to companies that the penalty for a major data breach can no longer be seen as a cost of doing business,” Attorney General Mark Dreyfus said in a statement.
