Sharing a statement with a quote from Chinese philosopher Confucius, the hacking group told people to sell their Medibank stocks along with an ultimatum for the insurance giant.

“A man who has committed a mistake and doesn’t correct it is committing another mistake. – Confucius,” the hackers wrote.

“Data will be publish in 24 hours.”

It comes after Medibank chief executive David Koczkar declared on Monday the company would not pay any ransom for the data theft that affected nearly 10 million of its current and former policyholders.

The company’s customers face an anxious wait to learn if the cyber criminals – who bought a high-level Medibank login from a Russian online crime forum – will act on their threat of publicly releasing their medical records and other sensitive information.

“Customers should remain vigilant. We knew the publication of data online by the criminal could be a possibility, but the criminal’s threat is still a distressing development for our customers,“ Mr Koczkar said on Tuesday.

“We unreservedly apologise to our customers.

“We take seriously our responsibility to safeguard our customers and support them.

“The weaponisation of their private information is malicious, and it is an attack on the most vulnerable members of our community.”

Mr Koczkar said he was “devastated” for the customers, saying they “deserve privacy”. But he said if Medibank caved to the demands of cyber criminals it would make Australia a softer target for repeat attacks.

“This is a significant decision for the business and we’ve had extensive expert advice and the reality of that advice is that there was a small chance that paying a ransom – you can call it extortion – that it was very unlikely they may return customer data,” Mr Koczkar told The Australian.

“In fact, you just can’t trust a criminal. It’s more likely that this will put more of our customers at risk through increased extortion and actually make Australia a bigger target. That’s consistent with the government policy on paying ransom, so that’s why we’ve made the decision we have to not pay a ransom.”

Meanwhile two law firms announced on Monday that would team up to investigate a potential class action lawsuit against the company. Bannister Law Class Actions and Centennial Lawyers are encouraging affected customers to register their interest on their websites.

“Medibank has a duty to keep this kind of information confidential,” Bannister Law and Centennial Law said in a statement.

“This latest data breach exposes the lack of safeguards in place to prevent such personal and private information being released to wrongdoers and Medibank & ahm have failed policyholders in these circumstances.”

Home Affairs Minister Clare O’Neil welcomed Medibank not paying the ransom, which was “consistent with Australian government advice”.

“I want Australia to be the most cyber-safe country in the world. The payment of ransoms directly undermines that goal,” she said.

“The Australian government, after a wasted decade for digital reform, is stepping up on cyber security and ransomware … we see and recognise the urgent need to address the conditions that have allowed the two largest cyber attacks in our history to occur within the space of two months.”

Mr Koczkar said investigations into the incident showed the criminal accessed the name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives.

The criminal also accessed health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers. This includes service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered.

Some 5,200 My Home Hospital patients also had some personal and health claims data accessed, and around 2,900 next of kin of these patients have had some contact details accessed.

Primary identity documents, such as drivers’ licences, for Medibank and ahm resident customers were not accessed, but Medicare numbers (but not expiry dates) for ahm customers were caught up in the breach as were passport numbers (but not expiry dates) and visa details for international student customers.

Additional reporting: Jared Lynch, Sarah Ison

More Coverage

‘Can’t trust a criminal’ – Medibank refuses to pay ransom

Jared Lynch, Sarah Ison, David Swan

Medibank leak hits six million ex-customers

Sarah Ison

Originally published as ‘Data will be published’: Medibank hackers’ new threat