Revealing for the first time the scale of the cyber hack, the nation’s biggest health insurer confirmed the hackers had accessed the name, date of birth, address, phone number and email address for about 9.7 million current and former customers.

That was about twice the number of people potentially affected than the company had previously admitted.

Worse, Medibank confirmed the stolen data included information about where customers received certain medical services, and codes associated with diagnosis and procedures administered.

It didn’t take long for that threat to be made clear on the dark web.

A ransom note previously claimed to have access to sensitive medical information about “politicians, actors, bloggers, LGBT activists, drug addicted people, etc.”

On Wednesday, they started posting the sensitive medical information they boasted of obtaining.

The initial numbers were small, about 100 people, but both the government and the insurer warned to expect more to come.

“We expect the criminal to continue to release files on the dark web,’’ Medibank warned.

And the insurer issued a chilling warning to customers that it expected the “criminal will continue to release files on the dark web”.

The blackmailers started releasing hundreds of names and addresses overnight, bragging they have the screenshots to prove they are talking with the insurer. In one exchange posted by the hackers, they threaten to keep leaking information until their demands are met.

“We’ll continue posting data partially, including confluence, source codes, list of stuff and some files obtained from medi file system from different hosts,’’ the message states.

“Looking back that data is stored not very understandable format we’ll take some time to sort it out,” they said.

“We’ll continue posting data partially, need some time to do it pretty.”

“P.S. I recommend to sell medibank stocks.”

Home Affairs Minister Clare O’Neil warned the “scumbag” hackers leaking sensitive Medibank patient information to the dark web could continue to drip-feed the data for months.

“People are entitled to keep their health information private, even amongst ransomware attackers, the idea of releasing personal medical information of other people is considered beyond the pale,’’ Ms O’Neil said.

“So make no mistake about it, this is not just any ordinary group of criminals, this is the lowest of the low.

“I know I do not need to point out the importance of social media companies not allowing this information to be published and not allowing it to be shared on your platforms and to traditional media companies, to not rubbish the private information of Australians,’’ she said.

“If you do so, you will be aiding and abetting the scumbags at the heart of these criminal acts and I know you would not do that to your own.”

How did this happen?

The short answer is that the Medibank hack began with the theft of the credentials of someone who had high-level access within the organisation.

They appear to have been sold to a Russian-language cybercrime forum.

The most detailed explanation was provided by Medibank an investor call on October 17 – it refers to the stolen user credentials.

It revealed that it was Medibank itself that detected unusual activity in its cyber security systems.

This led to the cyber security team starting their incident response, supported by our cyber security partners.

Later that evening, Medibank identified the unusual activity was focused on the IT infrastructure.

It took the precautionary step to take the systems offline to protect the data of customers. The investigation, which is ongoing, indicated that cyber security systems had detected activity consistent with the precursor to a ransomware event.

This initial finding was shared with the Australian Cyber Security Centre, who provided Medibank with additional guidance in support of this conclusion.

“We believe compromised credentials were used to access our systems,’’ Medibank told investors.

“I can confirm that our investigation shows that systems were not encrypted by ransomware during this incident and there is also no indication that the incident was caused by a state-based threat actor.”

In a statement to the ASX, Medibank chief executive David Koczkar said his company “took seriously our responsibility to safeguard our customers.

“The weaponisation of their private information in an effort to extort payment is malicious, and it is an attack on the most vulnerable members of our community,” Mr Koczkar said.

Minister O’Neil warned Australians were about “five years behind where we should be with regard to cyber security and there is a power of work under way at the moment to change that.”

“We are working hard to protect you and to protect our country,’’ she said.

Fine words, but little comfort, for Medibank customers.

More Coverage

Aussies issued horror new Medibank warning

Samantha Maiden

Samantha MaidenNational political editor

Samantha Maiden is the political editor for news.com.au. She has also won three Walkleys for her coverage of federal politics including the Gold Walkley in 2021. She was also previously awarded the Graham Perkin Australian Journalist of the Year, Kennedy Awards Journalist of the Year and Press Gallery Journalist of the Year. A press gallery veteran, she has covered federal politics for more than 20 years.

@samanthamaiden

Samantha Maiden