A ransomware group with alleged ties to the infamous Russian-speaking band REvil threatened to expose the personal information of millions of Medibank customers after the Australian private health insurance giant promised it would not pay the cybercriminals’ ransom demands.
Medibank, Australia’s largest health insurance provider, first revealed “cyber incident” on October 13, saying at the time that it had detected unusual activity on its network and had taken immediate steps to contain the incident. Days later, the company said customer data may have been exfiltrated.
in update published this week, Melbourne-based Medibank admitted that attackers had accessed the personal information of around 9.7 million customers, including names, dates of birth, email addresses and passport numbers.
Cybercriminals also accessed health claims data for nearly 500,000 customers, including names and locations of service providers where customers received certain medical services and codes related to diagnoses and procedures performed. For 5,200 users of Medibank’s My Home Hospital app, cybercriminals accessed some personal and health claims data, and for some, contact details of next of kin.
Medibank CEO David Kochkar said that although the health insurance giant believed the attackers had likely extracted all the data they had access to, the organization would not pay the ransom demand.
“Based on the extensive advice we received from cybercrime experts, we believe there is only a limited chance that paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Koczkar said. The CEO added that the payment could even encourage hackers to adopt triple-extortion tactics by trying to extort customers directly.
Following Koczkar’s announcement, a ransomware gang believed to be a rebrand of the defunct REvil group threatened to leak the stolen Medibank data. The new dark web leak site seen by TechCrunch named Medibank as one of its victims and said it plans to publicly release the exfiltrated data. The gang did not say how much data it dumped from Medibank’s network and did not share evidence for its claims.
Links between the new leak site and REvil, which darkened after US authorities pushed the operation offline in October after the gang turned to ransomware attacks on Colonial pipeline, JBS Foods and the American technology firm Kaseya, remains unclear. Brett Callow, a ransomware expert and threat analyst at Emsisoft, said the new operation uses a variant of the REvil website to encrypt files and that the old REvil website now redirects to the new leak site.
Medibank described the gang’s threats as a “worrying development” in a second update posted on Tuesday and urged customers to be vigilant with all online communications and transactions.
“We apologize unreservedly to our customers. We take our responsibility to protect and support our customers seriously,” said Koczkar. “Weaponizing their personal information is malicious and an attack on the most vulnerable members of our community.”
Medibank added that it was working with the Australian government, including the Australian Cyber Security Center and the Australian Federal Police, to try to prevent the sharing and sale of customer data. News of the Medibank attack comes just weeks after Australia’s second-largest telecommunications company Optus was hacked. The Australian Government confirmed an upcoming legislative change it would see companies that fail to adequately protect people’s data face fines of $50 million or more.