Australians are being warned to brace for personal ransom emails and texts after private health insurer Medibank revealed almost 10 million of its customers have had their information stolen.
The nation’s largest health insurer detailed the full extent of a recent hack on Monday, saying about 485,000 customers from Australia and overseas have had their sensitive health data taken by cyber criminals.
Additionally, about 9.7 million Medibank and AHM insurance and international customers have had their names, birthdays, addresses, phone numbers and emails taken by an unidentified ransom group.
And now cyber security experts are warning the hackers may begin trying to individually ransom this information to victims after Medibank confirmed it would not pony up to retrieve the data.
Troy Hunt, a Microsoft regional director and the creator of the world’s leading public database of information security breaches, said the hackers were likely to respond to Medibank’s refusal to pay by either dumping all the data online, or milking it by ransoming individuals.
He said previous hacks, including the theft of health data from a Finnish therapy group in 2018, showed how victims of data breaches can become ransom targets.
In that case patients reported being asked for €200 ($300) in Bitcoin to prevent their medical data, which included notes from sessions with psychologists, being leaked on the internet.
“Think of it like a business – you’re running ransomware inc. – the best use of the data at your disposal could be to pivot from [ransoming] the organisation to individuals,” Mr Hunt told TND.
“They could start going through every individual on this list and demanding money … or, at a more macro level, they decide it’s better to dump all the data publicly to send a message.”
Grim outlook for exposed Medibank customers
Either way, the outlook for affected customers is grim and could be much worse than the theft of personal data from Optus in October, which saw at least 10,000 people have their data leaked online.
In that case Australian Federal Police set up a specialist operation to protect Australians most at risk of identity theft and other scams.
But on Monday the AFP declined to comment when asked how it was protecting Medibank customers whose data may now be ransomed or published.
Mohiuddin Ahmed, a senior lecturer in cyber security at Edith Cowan University, agreed Medibank users could become targets for ransom.
“Even if it’s a good strategy that Medibank is not paying the ransom, that means criminals will look for other options to exploit the data,” he said.
Medibank said on Monday about 160,000 Medibank customers, 300,000 AHM customers, and 20,000 international customers had their personal health data taken.
It included health service provider names, locations of where customers received medical treatments, codes associated with their diagnoses and the procedures they had administered.
ACCC deputy commissioner Delia Rickard said customers should be on the lookout for ransom attempts or other suspicious emails or texts that may attempt to use stolen data to create more sophisticated scams.
Ms Rickard said it was “extremely concerning” that medical data had been caught up in the Medibank hack, saying some people will be “totally traumatised”.
She advised affected customers not to entertain any ransom demands.
“You actually have no idea who contacts you or whether they have your data or not,” Ms Rickard told TND.
“Don’t pay, but do a whole range of things to protect yourself.
“Let the police know, let your bank and super fund know, and tell them you’ve been a victim of the Medibank hack.”
Hackers ‘likely’ to make good on threats
Professor Chad Whelan, an expert in ransom groups at Deakin University, said those customers most at risk are the 485,000 who have had their personal health information stolen by criminals.
Other personal data stolen by the hackers has most likely “already been breached in some way, shape or form over time”, he said.
“Some of these individuals might find themselves in a precarious situation if there are particular health details they might not want out there,” Dr Whelan said.
“Criminal groups behind the breach might seek to extort that group.”
Dr Whelan said irrespective of whether Medibank paid the ransom, hackers could either dump all this data online or begin individually contacting customers to demand money for the data.
“It’s likely they’ll make good on their threat to release the data, but it’s also possible they would have done the exact same thing if the ransom was paid,” he said.
Medibank said on Monday it would not pay the ransom because it had no guarantees that the data would not be leaked anyway, adding that it could also encourage future cyber attacks.
“We believe there is only a limited chance paying a ransom would ensure the return of our customers’ data,” Medibank CEO David Koczkar said in a statement posted to the ASX.
“Paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.”
Official warn hacks exacerbating scams
Monday’s update on the Medibank hack came as ACCC officials sought to warn Australians about the danger of scams, which are being made worse by a string of major corporate data breaches in recent months.
That’s because scammers can use stolen personal data to make their scams more personalised and sophisticated, making it more difficult for victims to identify fraud.
There were 166,000 reports of scams with more than $425.8 million in losses between January and September – a 90 per cent annual increase.
The ACCC is providing a series of tips to Australians to protect them from scams, including:
- Stop: Take your time and consider before giving money or personal data to anyone
- Think: Ask yourself whether the message or call you’ve received could be fake
- Protect: Act quickly if something is wrong by contacting your bank or IDCare and utilise multi-factor authentication on your devices and email accounts.