Stolen health records for millions of Australians have been publicly released on the dark web following a threat by hackers 24 hours earlier to do precisely that. Last month, the unknown hackers demanded a ransom from Medibank, a private insurance provider in Australia, which the company refused to pay.
The hackers, who claimed to have spent a month rummaging around Medibank’s systems, have posted what they’ve called “naughty” and “nice” lists of health records, with the “naughty” list including people who’ve sought treatment for things like addiction and eating disorders. And they claim they’ve only started releasing the stolen information.
The hackers have also published emails they sent and received with Medibank while negotiating over the ransom. The emails, if they’re authentic, show the hackers refusing to name themselves except to say they’re with an “affiliate group.” Security researchers have dubbed the group BlogXX, which is a partial name of the onion address where the stolen data has been published. Oddly enough, the domain used to be run by the Russian-based REvil ransomware gang, though it’s not clear if some of the hackers are the same.
In one of the email exchanges published by the hackers, a representative from Medibank asks how they know the hackers will actually delete the data if they pay the ransom.
“We are doing business, even if it is not legal, and we are worried about our reputation. This is the key to payments,” the response from the hackers reads.
“We are interested in getting money, not destroying your company,” the hackers continue.
Whatever their intention, these hackers have now put out information that could be used to destroy the lives of regular people who may be struggling with any range of mental health and addiction issues. Medibank declined to comment on the authenticity of the images posted by the hackers in an email to Gizmodo on Wednesday morning.
To make things even more perplexing, Medibank didn’t have cyber insurance, despite being an insurance company. The company is on the hook to lose tens of millions of dollars, according to some estimates, and there are already lawsuits being prepared.
The thieves first published a threat in October to release sensitive data, including detailed health information, that would include notable people in Australia, including politicians, actors, and activists. The threat was in broken English, leading many people to assume the hackers are not from an English-speaking country. The hackers even spell the city of Sydney as “Sidney” in their email exchange with Medibank.
While Medibank has about 3.9 million current customers, the hacked data includes information on about 10 million victims because it also includes former customers, according to Australia’s ABC News. The data hasn’t made its way to the open web yet, with the only way to access the information being the so-called dark web.
“Like millions of other Australians, my family was caught up in the Medibank breach & today we’re learning our personal data is on the dark web. Our worst data breach nightmares are playing out in real time, as our existing laws & data protection systems are no match for hackers,” David Shoebridge, a Senator with the Australian Greens political party, tweeted on Wednesday.
Medibank has received criticism for its slow response to the hack, even initially announcing that while there may have been a breach, the insurance company didn’t believe hackers were able to steal sensitive information. That turned out to be horribly wrong.
Australia is a wealthy country with plenty of resources for things like cybersecurity, but folks down under have struggled with protecting sensitive data for years now, partially due to a brain drain in the tech sector that sees skilled workers head overseas for better pay. This year has been particularly bad for Australia, with other high-profile data thefts like the recent breach of telecom giant Optus.
“I just want to thank @medibank. So far I have not had a single piece of advice or information from them about the hacking of my family’s private health data. We’ve been paying their exhorbitant premiums for 20 years FFS. Worse than @Optus and that’s saying something,” one customer wrote on Twitter.
Australian Federal Police (AFP), the rough equivalent of the FBI in the U.S., held a press conference on Wednesday about what’s it’s dubbed Operation Guardian, encouraging anyone who may be contacted in the future with blackmail threats to come forward.
“To the customers impacted by this latest breach, please do not be embarrassed to contact police through ReportCyber if a person contacts you online, by phone or by SMS threatening to release your data unless payment is made,” AFP assistant commissioner for Cyber Command, Justine Gough, said in a statement published online.
“Blackmail is an offence and those who misuse stolen personal information for financial gain face a penalty of up to 10 years’ imprisonment. Operation Guardian will be actively monitoring the clear, dark and deep web for the sale and distribution of Medibank Private and Optus data,” Gough continued.