Fraud Management & Cybercrime , Geo-Specific , Incident & Breach Response
Medibank Hackers Dump Stolen Data on the Dark WebAustralian Information Commissioner Will Investigate Insurer's Security Practices
The Russia-based ransomware gang behind the hack of Australia's largest private health insurer says it posted a full set of stolen data even as analysis by Medibank called the data incomplete and difficult to understand.
Hackers posted raw Medibank data in six zipped files of more than 5 gigabytes in a folder called "full."
In a statement, Medibank said that health claims data has not been joined with name and contact details.
The October hack has affected 9.7 million current and former customers, including 1.8 million foreigners residing in Australia.
The ransomware gang behind the hack began leaking information after Medibank CEO David Koczkar declined on principle to negotiate with the hackers (see: Medibank Says No to Paying Hacker's Extortion Demand).
An investigation by Australian Federal Police is ongoing and there are currently no signs that hackers stole financial or banking data.
Cybersecurity Minister Claire O'Neil released a joint statement with Attorney-General Mark Dreyfus calling the data dump an anticipated development. "The release of such sensitive and personal data is morally reprehensible," they said.
The Australian Information Commissioner announced it had initiated a separate investigation into the personal information handling practices of Medibank.
The primary focus of the investigation will be on whether Medibank took reasonable steps to protect the personal information it held.
If the OAIC privacy commissioner finds "serious and/or repeated interferences with privacy," Medibank could face fines up to AU$2.2 million for each violation.
The Australian Parliament on Monday approved legislation increasing the maximum penalties for serious or repeated corporate privacy breaches from the current $AU2.22 million to whichever is the greater of $AU50 million, 30% of adjusted turnover or three time the value of any corporate benefit obtained through the misuse of information.