On Monday morning, the cyber criminals shared a post with a quote from Chinese philosopher Confucius and told people to sell their Medibank stocks.

“A man who has committed a mistake and doesn’t correct it is committing another mistake. – Confucius,” they wrote.

“Data will be publish in 24 hours.”

The ultimatum comes after the CEO of the health insurer, David Koczkar said the company would not give in to the hacker’s ransom demands.

In a statement released to the ASX on Monday, Mr Koczkar apologised to the company’s 3.8 million members however he said the business was acting on expert advice which advised them not to pay the criminals.

It’s understood the Australian Government has also backed the insurer’s decision.

“Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” he said.

“In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target.

“It is for these reasons we have decided we will not pay a ransom for this event.”

Want to stream your news? Flash lets you stream 25+ news channels in 1 place. New to Flash? Try 1 month free. Offer available for a limited time only >

In response to Tuesday’s revised threats, Medibank issued a statement which warned customers to “remain vigilant” as investigations by the Australian Federal Police and Australian Cyber Security Centre remain ongoing.

“We knew the publication of data online by the criminal could be a possibility, but the criminal’s threat is still a distressing development for our customers,” said Mr Koczkar.

“We unreservedly apologise to our customers. We take seriously our responsibility to safeguard our customers and support them. The weaponisation of their private information is malicious, and it is an attack on the most vulnerable members of our communit.”

Hackers likely from Russia

Speaking to 2GB radio host Ben Fordham on Monday morning, technology expert Trevor Long backed Mr Koczkar’s decision, despite the escalation.

He said latest threat shows the hackers are aware of the scale of the attack. Mr Long said the dark web forum used by the group also indicates they are most likely based in Russia.

“If you pay … you’re simply saying to these criminals that Australian companies are likely to pay, so you should hack them,” he said.

“If we pay ransom it will get even worse, so it’s an important thing Medibank doesn’t pay any ransom,” he added.

After Medibank became aware of the hack, initial messages from the cyber criminals threatened to target some of the insurer’s most vulnerable customers, the Sydney Morning Herald reported.

Written in broken English, an initial ransom note said: “We offer to start negotiations in another case we will start realising our ideas like 1. Selling your Database to third parties 2. But before this we will take 1k most media persons from your database (criteria is: most followers, politicians, actors, bloggers, LGBT activists, drug addictive people, etc) Also we’ve found people with very interesting diagnoses. And we’ll email them their information.”

Full-scale of data breach revealed

Monday’s statement also shared more details around the scale of the attack which has affected 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers.

The company said customers should remain vigilant in case hackers publish their data online, or attempt to contact them directly.

The insurance giant said hackers had:

- Accessed the name, date of birth, address, phone number and email address for around 9.7 million current and former customers and some of their authorised representatives. Despite this, primary identity documents belonging to Medibank and ahm resident customer were not accessed, as this information is only collected in exceptional circumstances

- Accessed Medicare numbers (but not expiry dates) for ahm customers

- Accessed passport numbers (but not expiry dates) and visa details for international student customers

- Accessed health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers.

- Accessed health provider details, including names, provider numbers and addresses

Medicare also clarified that the criminals did not access information on customer credit card and banking details, or health claims data for extras like dental, physio, optical and psychology.

What implicated customers can do

As of Monday, vulnerable customers whose personal safety may be at risk as a result of the hacks (i.e. victims of domestic violence) now have access to a cybercrime health and wellbeing line (1800 644 325) and personal duress alarms.

Medibank is also offering mental health outreach services and access to a tailored Better Minds app with specific resources for those affected by cybercrime.

This is in addition to programs including specialist identity protection advice, free identity monitoring services, and reimbursement of ID replacement fees. Medibank will also offer hardship support and specialised teams to support people targeted by scam communications or threats.

An external review will also be conducted into the breach “to ensure that we learn from this cyber attack and continue to strengthen our ability to safeguard our customers,” the company said.

More Coverage

Why Medibank hack is ‘wake-up call’

Catie McLeod

Medibank hack to cost as much as $150m

Alex Turner-Cohen

Originally published as Medibank hackers threaten to release data with 24 hours if demands aren’t met