A ransomware group with suspected links to the notorious Russia-speaking REvil gang has threatened to release the personal information of millions of Medibank customers after the Australian private health insurance giant pledged it would not pay the cybercriminals’ ransom demand.
Medibank, Australia’s largest health insurance provider, first disclosed a “cyber incident” on October 13, saying at the time that it detected unusual activity on its network and took immediate steps to contain the incident. Days later, the company said that customer data might have been exfiltrated.
In an update posted this week, the Melbourne-based Medibank admitted that the attackers accessed roughly 9.7 million customers’ personal information, including names, birth dates, email addresses and passport numbers.
The cybercriminals also accessed health claims data for almost 500,000 customers, including service provider names and locations, where customers received certain medical services, and codes associated with diagnosis and procedures administered. For 5,200 users of Medibank’s My Home Hospital app, the cybercriminals accessed some personal and health claims data and, for some, next of kin contact details.
Medibank CEO David Koczkar said that while the health insurance giant believes that the attackers likely exfiltrated all of the data they were able to access, the organization would not pay the ransom demand.
“Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Koczkar said. The chief executive added that paying could even encourage the hackers to adopt a triple-extortion tactic by attempting to extort customers directly.
Following Koczkar’s announcement, a ransomware gang believed to be a rebrand of the defunct REvil group threatened to leak the stolen Medibank data. The new dark web leak site, seen by TechCrunch, listed Medibank as one of its victims and said it planned to release the exfiltrated data publicly. The gang did not say how much data it exfiltrated from Medibank’s network, and did not share evidence of its claims.
The links between the new leak site and REvil, which went dark after U.S. authorities pushed the operation offline in October after the gang targeted ransomware attacks against Colonial Pipeline, JBS Foods and U.S. technology firm Kaseya, remains unclear. Brett Callow, a ransomware expert and threat analyst at Emsisoft, said that the new operation uses a variant of REvil’s file-encrypting website and that REvil’s old website now redirects to the new leak site.
Medibank described the gang’s threats as a “distressing development,” in a second update published on Tuesday, and urged customers to be vigilant with all online communications and transactions.
“We unreservedly apologise to our customers. We take seriously our responsibility to safeguard our customers and support them,” said Koczkar. “The weaponization of their private information is malicious, and it is an attack on the most vulnerable members of our community.”
Medibank added that it is working with the Australian government, including the Australian Cyber Security Centre and the Australian Federal Police, in order to try and prevent the sharing and sale of customer data. News of the Medibank attack comes just weeks after Australia’s second largest telco Optus was breached. The Australian government confirmed an upcoming legislative change that would see companies that fail to adequately protect people’s data face fines of $50 million or more.