Medibank has confirmed that data released overnight by a hacker group is real, meaning that hundreds of the company’s customers have had their names, addresses, phone numbers, passport numbers, health claims data and other personally identifiable information exposed online for anyone to see.
The data — posted after Medibank refused to pay a ransom — also appears to include information on Medibank staff and international students, screenshots of negotiations with the hacking group, and even the company CEO David Koczkar’s mobile phone number.
On Wednesday morning, Medibank responded to the hacker group after it posted a dump of data when the midnight deadline for a ransom payment wasn’t met.
“The files appear to be a sample of the data that we earlier determined was accessed by the criminal,” the Medibank statement said.
The group posted “a small part of the data” to its dark web blog and promised more to come in the future.
“We’ll continue posting data partially, need some time to do it pretty,” it said.
The group said it would publish data beyond just customer data, such as information from Confluence, a software product used by companies to share data internally, and source code of Medibank software.
Have I Been Pwned creator and cybersecurity expert Troy Hunt said the data leaked was “extraordinarily sensitive”.
“This is about as bad as we feared it would get,” he tweeted.
The group posted two lists labelled “good-list” and “naughty-list” with data on 198 customers. Beyond personally identifiable information, the data also includes health provider names along with codes for diagnoses and procedures.
Crikey was unable to independently confirm the legitimacy of the Medibank customers’ contact details after calling dozens of phone numbers. Many of the phone numbers are no longer operational or don’t belong to the people they’re listed for. (This doesn’t disprove the legitimacy of the data. There are many reasons why this reporter was unable to confirm them ranging from the company possessing old data to luck.)
Other information includes spreadsheets with what appears to be basic information about tens of thousands of international students and the phone numbers and device IDs of hundreds of Medibank staff’s phones.
The data posted also includes what appears to be screenshots of email and text message negotiations between the hacking group and Medibank staff. These started in October with the original ransom note and ended on November 7 when a Medibank staff member told the group they would not pay the ransom.
The group even included a screenshot of a WhatsApp contact listed as belonging to company CEO David Koczkar and messages sent to him.
“HI! As your team is quite shy, we decided to make the first step in our negotiation,” they wrote on October 18.
The authenticity of the negotiation screenshots, Medibank staff and international student information has not been specifically confirmed by the company.
Home Affairs and Cybersecurity Minister Clare O’Neil shared a list of steps to take for those affected by the hack on Twitter.
“If you’re a Medibank or AHM customer, it’s important to be extra vigilant,” she said.