CANBERRA, Australia -- An extortionist has threatened to make Medibank customer data public within 24 hours after Australia’s largest health insurer refused to pay a ransom for the personal records of almost 10 million current and former customers.
Medibank on Monday ruled out paying ransom for the stolen data. The theft was reported to police Oct. 19 when trade in the company’s shares was halted for a week.
The thieves had reportedly threatened to expose the diagnoses and treatments of high-profile customers unless a ransom of an undisclosed sum was paid.
“Based on the extensive advice we have received from cybercrime experts, we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Medibank CEO David Koczkar said in a statement.
“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” Koczkar added.
A blogger using the name “Extortion Gang” posted Monday night on the dark web that “data will be publish (sic) in 24 hours.”
“P.S. I recommend to sell medibank (sic) stocks,” the blog added.
The post did not include data samples that could prove the author held the data. But Medibank on Tuesday took the threat seriously.
“We knew the publication of data online by the criminal could be a possibility, but the criminal’s threat is still a distressing development for our customers,” Koczkar said.
Koczkar urged customers to remain vigilant and warned that the criminal could contact them directly.
Medibank this week updated its estimate of the number of people whose personal information had been stolen from 4 million two weeks ago to 9.7 million. The stolen data included health claims of almost 500,000 people including diagnoses and treatments, the company said.
“The weaponization of their private information is malicious and it is an attack on the most vulnerable members of our society,” Koczkar said.
Cybersecurity Minister Clare O’Neil welcomed Medibank’s stance, saying its refusal to pay a ransom was in line with her government’s advice.
Medibank revealed this week that a hacker stole a company employee’s username and password to access the customer database.
At least two legal firms say they are investigating a potential class-action lawsuit against Medibank for failing to protect customer data.
The price of Medibank shares fell almost 3% in early trade Tuesday on the Australian Security Exchange following threats of data publication and lawsuits.