Medibank is an Australian health insurance provider that was recently hacked and the health records of millions of its customers were published on the dark web because the company did not agree to pay the ransom.
The company came to know about this breach in October. At that time, the level of exposed data and the exact ransom money demanded were both unclear.
According to Medibank, besides health information the data includes “personal data such as names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for ahm customers (not expiry dates), in some cases passport numbers for our international students (not expiry dates), and some health claims data,” the company stated in a tweet.
The company believes that all the data of its 3.9 million customers has been compromised. It can also be 10 million if former customers are also taken into account!
Medibank keeps hearing from hackers that they will continue to upload batches of data on the dark web.
The hackers have posted “naughty” and “nice” lists of the stolen health records, Gizmodo reports. The “naughty” list is very invasive since it picks people based on sensitive health histories like having treatment for addiction and eating disorders.
The only clue about the hackers is the fact that the website of the now-defunct Russian ransomware operation REvil, redirects to the hackers’ blog, according to BleepingComputer.
“P.S. I recommend selling Medibank stocks,” the hackers wrote in broken English with a screenshot.
They state that the ransom they demanded was $10 million.
A lot of people have criticized Medibank for not adopting a smarter maneuver to deal with this threat.
Quite interestingly, Medibank didn’t even have cyber insurance. Now, it will have to give out up to $22 million in damages, excluding legal fees. The company’s top management did not realize there would be a data breach of this level and had earlier assured customers that something like this would never happen.