The attackers, believed to be linked to the Russian-backed REvil ransomware gang, posted an update to its dark web blog in the early hours of Thursday morning, saying: “Happy Cyber Security Day!!! Added folder full. Case closed.”
The dark web blog was unavailable at the time of writing, but according to Medibank, the “full” folder contained six zipped files of raw data. At more than six gigabytes in size, the cache is much larger than any of the attackers’ previous Medibank leaks. Medibank confirmed in November that the attackers took 9.7 million customers’ personal details and health claims data for almost 500,000 customers.
The Medibank cybercriminals previously published data including customers’ names, birth dates, passport numbers, information on medical claims and sensitive files related to abortions and alcohol-related illnesses. Portions of the data seen by TechCrunch also appear to include correspondence between the cybercriminals and Medibank CEO David Koczkar, including a message in which the hackers threaten to leak “keys for decrypting credit cards,” despite Medibank’s assertion that no banking or credit card details were accessed.
The cybercriminals claimed they published the data after Medibank refused to pay their $10 million ransom demand, which was later reduced to $9.7 million, or $1 per affected customer.
Medibank said on Thursday that it is in the process of analyzing the latest leaked data but said it “appears to be the data we believed the criminal stole.”
“While our investigation continues there are currently no signs that financial or banking data has been taken,” Medibank said. “And the personal data stolen, in itself, is not sufficient to enable identity and financial fraud. The raw data we have analyzed today so far is incomplete and hard to understand.”
Although it’s believed the hackers have released all of the data stolen from Medibank, the company added that it expects “the criminal to continue to release files on the dark web.”
The Australian health insurance giant is urging customers to be vigilant with all online communications and transactions and to be alert for phishing scams related to the breach. Medibank added that to strengthen its security, it has this week added two-factor authentication in its contact centers to verify the identity of customers.
While Medibank is taking steps to shore up its cybersecurity, the company could face major financial penalties after the Australian parliament this week passed legislation that paves the way for businesses to be fined up to $50 million for repeated or serious data breaches.
Australia’s data and privacy watchdog, the Office of the Australian Information Commissioner (OAIC) on Thursday announced that it had begun an investigation into the personal information handling practices of Medibank. The OAIC — also investigating the recent Optus breach — said its investigation will focus on whether Medibank took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorized access, modification or disclosure.
“If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention,” the OAIC said.
News of the investigation comes after the Australian Federal Police (AFP) said in November that it knows the identity of the individuals responsible for the attack on Medibank. The agency declined to name the individuals but said the police believe that those responsible for the breach are based in Russia, though some affiliates may be in other countries. The Russian Embassy in Canberra rebuffed the allegations.
Though their identities remain unknown, the attackers responsible already appear to be moving on from the Medibank hack. In recent days the group has posted new victims to its dark web blog, including New York-based medical group Sunknowledge Services and the Kenosha Unified School District.