Sensitive health data from Medibank, including information about abortions, has been posted on the dark web, prompting the minister for home affairs, Clare O’Neil, to pledge police would track down the “scumbags” behind the hack.
On Thursday morning, on a dark web blog linked to the REvil Russian ransomware group, the attacker posted a file labelled “abortions” alongside claims they had sought US$10m from Medibank to prevent the leak of the data.
The data in the file is understood to include procedures claimed by a policyholder related to the termination of pregnancy, including non-viable pregnancy, ectopic pregnancy, molar pregnancy, miscarriages, and readmission for complications.
O’Neil told the parliament during question time on Thursday that the full weight of the Australian Federal Police and Australian Signals Directorate were coming for those who leaked the information.
“I want the scumbags behind this attack to know that the smartest and toughest people in this country are coming after you,” she said.
“I want to say, particularly to the women whose private health information has been compromised overnight, as the minister for cybersecurity but more importantly, as a woman, this should not have happened, and I know this is a really difficult time.”
O’Neil said she had spoken twice today with Medibank’s chief executive, David Koczkar, and made it “abundantly clear of the expectations of the Australian community about what this company owes to its customers given what has transpired here”.
Medibank would be providing a one-stop-shop for support for customers, and if a larger dump occurs, the health insurer has provided assurances it will have services ready to support customers.
In a statement, O’Neil said principal responsibility for providing services and support to customers rested with Medibank: “this is the duty they owe their customers”.
“The expectation of Australians is that support will be there when they need it,” O’Neil said.
“That is why we requested that Medibank operate a one-stop-shop model, to assist citizens in accessing the support that has been made available across Medibank, the civil sector and state and federal governments. This is complemented by additional government services, and law enforcement action.”
O’Neil said the Australian government was now better prepared for the consequences of this cyber attack than it ever has been before. The National Coordination Mechanism (NCM), which brings together all relevant state and federal departments and agencies, as well as Medibank Private, has now met eight times.
“The NCM has never been initiated before for a cyber attack, indeed, before Optus there was no meaningful cyber incident response mechanism in the Australian government.
“No one could or should pretend that these actions will prevent all harm from occurring. Nor should they demonstrate that the response to the problem is perfect - there will be problems and issues.”
The Australian Federal Police has warned people not to go seeking out the data themselves, warning it is in breach of Australian privacy laws.
“They could be committing crimes themselves because there are some privacy considerations and privacy laws that could be being breached,” the AFP assistant commissioner cyber command, Justine Gough, said on Wednesday.
She warned anyone who tries to buy the stolen information would face up to 10 years in jail and warned against anyone trying to “piggy back” off the hack by blackmailing victims of the attack.
“The AFP has significant powers within its remit, including legislation that precludes the AFP from revealing when those powers are in use,” she said. “Those powers are a chilling reminder to hackers and those who will attempt to piggyback off those criminals that the AFP will relentlessly pursue them.”
The AFP announced on Wednesday that it would expand Operation Guardian – which was set up to protect the 10,000 Optus customers who had their personal information posted online earlier this year – to those Medibank customers exposed.
