Canberra: Extortionists dumped stolen client records relating to pregnancy terminations on the dark web on Thursday in their latest effort to pressure Australia’s largest health insurer to pay a ransom.
The cybercriminals began dumping customer records on Wednesday including treatments for HIV and drug addiction after Medibank this week ruled out paying a ransom for the return of the hacked data.
The criminals, who used the name “Extortion Gang,” on Thursday posted that they had demanded $9.7 million – $1 for the records of each of the 9.7 million current and former Medibank customers that were stolen.
Most concerning was the theft of health claims for almost 500,000 customers that include diagnoses and treatments.
Medibank CEO David Koczkar condemned the release of Thursday’s tranche of data as “disgraceful.”
“The weaponization of people’s private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community,” Koczkar said in a statement.
Cybersecurity Minister Clare O’Neil described the targeting of women who had terminated pregnancies as “morally reprehensible.”
“Yesterday, I indicated to the Parliament that the consequences of the Medibank hack were likely to get worse, and today those fears have been realized,” O’Neil told Parliament.
“And I want to say, particularly to the women whose private health information has been compromised overnight, as the minister for cybersecurity but, more importantly, as a woman, this should not have happened,” she added.
Medibank and government services were standing ready to support all customers in need even if a “large data dump occurs,” O’Neil said.
The extortionists have warned that the dumps will continue daily.
Cybersecurity expert and Medibank customer Nigel Phair spoke of his frustration at not knowing how much of his personal data had been stolen.
“You just don’t know what’s been lost of your own details: Is it your name, your date of birth, is it your address, is it everything and more?” Phair told Australian Broadcasting Corp.
Medibank had failed to adequately address basic risk management questions on what data was stored, where it was stored, who had access and how that data was accessed, Phair said.
“If they’d done that competently beforehand, and put appropriate controls (in place), this wouldn’t have happened,” Phair said.
The extortionists have been linked to high-profile Russian cybercrime gang REvil, short for Ransomware Evil and also known as Sodinokibi.
The Russian Federal Security Service said in January REvil “ceased to exist” after several arrests were made at the insistence of the United States.
Troy Hunt, founder of the “Have I been Pwned?” website, a service that enables users to check if their personal details have been exposed by data breaches, said it was unclear how REvil was involved.
An old REvil dark web site had started redirecting traffic to a new site that hosts the stolen Medibank data, Hunt said.
REvil could have rebranded as BlogXX, the name by which the Medibank hackers are becoming increasingly well known within cybersecurity circles, or former REvil operatives might have found a new home.
“The reality is, it’s a bit like any job – people come and go,” Hunt said.
Conversations between the hackers and Medibank that have been published with the data dumps show that the operation was initially intended to be a ransomware attack. That would have denied Medibank access to its own customer records and heightened pressure on finding a quick resolution.
But the hackers said they ran out of time to encrypt Medibank’s systems with ransomware so fell back on the plan to monetize the data that had already been stolen.