The personal and medical information of millions of Australians appears to be accessible online, after the group behind the Medibank hack released a flood of sensitive customer data on Wednesday.
Experts had earlier suggested the hackers, who claim to be a Russian group that makes a fortune from ransoming information it steals, were pursuing a slow release strategy after only 200 customer records were published on Wednesday morning.
But just hours later, The New Daily had seen that hundreds of files amounting to more than 2.5 gigabytes of information were available for download via the group’s blog on the “dark web”. The blog has become a forum for taunting the health insurer – Australia’s largest – and the hack’s victims.
One massive block of data featured customer phone numbers, addresses and information about health treatments. It was split across more than 200 documents, many of which appeared to run to 400,000 rows of information each.
Troy Hunt, a Microsoft regional director and international authority on data breaches, said his initial view was that the information now freely downloadable could represent “a very significant portion” of the data stolen in the hack and a “surprising amount” of customer information.
“They’ve got a tonne of [files] and clearly those [files] will have a lot of personal information in them,” he told The New Daily.
“From what I’ve heard and seen, I suspect that there is a very large group of people already within those [files].”
Medibank did not immediately respond to questions about how much data was now online and whether the bulk of its affected customers’ information had been published.
The personal information of some 9.7 million current and former customers was thought to have been stolen in early October when Medibank’s computer systems were infiltrated by hackers who were said to have made away with 200 gigabytes of data.
Initially the hackers released two files on Wednesday, each containing 100 customers’ details – one labelled “naughty” and one labelled “nice”.
It was a cruel taunt to their victims.
Those on the ‘naughty’ list had been treated for substance addiction including at exclusive clinics in metropolitan Australia such as the Sydney Clinic.
Those deemed ‘nice’ were overwhelmingly elderly patients whose medical records showed they had needed surgery for problems of ageing; one customer singled out was aged more than 105.
“We’ll continue posting data partially, including confluence, source codes, list of stuff and some files obtained from medi filesystem from different hosts,” the hackers wrote.
Another data dump appeared to contain the information of hundreds of thousands of foreign nationals who were labelled as international university students.
TND emailed some of the victims in the initial release, seeking comment. In reply, one woman’s daughter said her mother was too distraught by the invasion to speak out personally.
Messages between the hackers and Medibank were also released. One exchange on October 21 showed that the group signalled its intent to systematically analyse and release customer details.
“Clearly Medibank was never going to pay the ransom,” Mr Hunt said.
“And these crews are dependent on following through on their threats in order to be taken seriously.
“I’m sure that the penny would have dropped for Medibank, many weeks ago, that this was almost certainly going to be the outcome.”
Also on Wednesday, Cyber Security Minister Clare O’Neil labelled the hacking the “lowest of lows”, noting that while only a small number of people’s personal health information had so far been shared, that was likely to change.
“I cannot articulate the disgust I have for the scumbags who are at the heart of this criminal act,” she told parliament.
“People are entitled to keep their health information private, even among ransomware attackers. The idea of releasing personal medical information of other people is considered beyond the pale.”
Police have said the release of the latest information could make affected customers more likely to be approached by scammers or to become victims of impersonation.
Mr Hunt said it was important for anyone affected by the hack to be vigilant about the fundamentals of security. That included being watchful for scams and making sure to verify the identity of any unknown callers or people making approaches.
“If you’re unsure, hang up and go to medibank.com.au,” he said.
“Keep your software up to date and use a password manager.
“Hopefully these events bring all this stuff a little bit more into the forefront of everyone’s mind.”