Following through on a threat, the hackers began publishing the most private medical details of some of Medibank’s customers, including terminated pregnancies, treatment for drug and alcohol addiction and heart attacks, according to a cybersecurity analyst, victims who have spoken publicly about the incident and local media reports
When the Australian health insurer Medibank Private Ltd. was hit with a ransomware attack last month, it provided regular updates to its customers, including the revelation that personal information from nearly 10 million of them was exposed. It also followed the government’s guidance on how to respond to the extortion demand.
Medibank didn’t pay the ransom. But that plan hasn’t worked out so well.
Following through on a threat, the hackers began publishing the most private medical details of some of Medibank’s customers, including terminated pregnancies, treatment for drug and alcohol addiction and heart attacks, according to a cybersecurity analyst, victims who have spoken publicly about the incident and local media reports.
About 1,000 patients have already had deeply personal data revealed on dark web forums, according to Medibank, and the hackers, who Australian authorities believe are Russian, have warned that more is coming.
“Unfortunately we expect the criminal to continue to release stolen customer data each day,” said David Koczkar, Medibank’s chief executive officer.
Medibank’s experience represents a nightmare scenario for companies and organizations attacked by ransomware, a type of cyberattack in which a victim’s data is encrypted until a payment is made to unlock it. Many ransomware gangs now steal data too and threaten to release the information unless payment is made.
Despite guidance from government agencies, including the FBI, not to pay ransom demands, many victims end up doing so, including Colonial Pipeline Co., after a ransomware attack last year forced it to shut down a pipeline that provides fuel to the US East Coast.
Koczkar said in a statement that the company had been warned there was only a limited chance the data would be returned and not published even if they paid. The hackers sought $1 for every patient, or about $10 million, according to the Sydney Morning Herald.
“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” Koczkar said.