Anthony Albanese and minister reveal they are among 9.7 million Medibank customers
The Prime Minister and the Cybersecurity Minister have revealed they are customers of the insurance company which has had data leaked on the dark web.
Prime Minister Anthony Albanese and Cybersecurity Minister Clare O’Neil have revealed they are among 9.7 million customers caught up in the Medibank hack, describing the criminals as “scumbags”.
Hundreds of names, addresses, birth dates and health diagnoses were allegedly posted on the dark web overnight, and separated into a “good-list” and “naughty-list”.
It comes after the hackers gave the insurance company a 24-hour deadline to pay an unknown ransom.
Ms O’Neil, who is also the Minister for Home Affairs, told parliament on Wednesday that the number of people whose medical information might have been compromised was small, but that was “likely to change”.
“We are going through a difficult period now that may last for weeks, possibly months; not days and hours,” she said.
“I cannot articulate the disgust I have for the scumbags who are at the heart of this criminal act. People are entitled to keep their health information private.
“This is not just any ordinary group of scummy criminals, this is the lowest of the low.”
Ms O’Neil said the Australian government had been preparing for the hackers releasing the data.
“The actions of the national co-ordination mechanism to prepare for what is taking place are extensive,” she said.
“It includes placing protective security around government data, it includes state police working with affected individuals, it includes the organisation of mental health support and counselling, it includes putting in place management plans around people who have some very specific vulnerabilities.”
Ms O’Neil urged social media platforms and traditional media not to publish the private information of Australians.
“If you do so, you will be aiding and abetting the scumbags who are at the heart of these criminal acts and I know you would not do that to your own country and your own citizens,” she said.
Earlier, Mr Albanese told reporters he was a Medibank member.
“I am a Medibank Private customer as well and it will be of concern that some of this information has been put out there,” he said.
“We are concerned, and we will continue to monitor what is occurring.
“We need to keep people's information as safe as possible. There has been a real wake-up call for corporate Australia with both this breach, and the Optus breach.”
It is understood Mr Albanese has not had his personal data leaked online.
Cyber Commander Assistant Commissioner Justine Gough said the AFP had expanded Operation Guardian to include victims of the Medibank hack.
The operation was originally founded to tackle the Optus data hack in late September, which impacted about 9.8 million customers.
“I know today there will be Medibank private customers who will feel exposed, embarrassed and fearful because of the deeply personal information that has been stolen and dumped on the dark web,” Assistant Commissioner Gough told reporters.
Assistant Treasurer Stephen Jones slammed the hackers behind the theft of 9.7 million highly personal details of Medibank customers.
“They’re criminals, and we shouldn’t be paying ransom,” he told Sky News.
“We shouldn’t be giving into these fraudsters. The moment we fold, it sends a green light to scumbags like them throughout the world that Australia is a soft target.
“We cannot give in, and we won’t give in.”
As threatened, the hackers responsible for the Medibank ransom have begun dumping data. This is about as bad as we feared it would get. pic.twitter.com/ZAE37rLXQs
— Troy Hunt (@troyhunt) November 8, 2022
The hacker threatened in a Tuesday post – featuring a Super Mario meme and a Confucius quote – that they would publish the data within 24 hours if a ransom was not paid.
“P.S. I recommend to sell Medibank stocks,” they warned.
Medibank shares closed 1.8 per cent lower at $2.78.
Bizarrely, the hackers apologised for not presenting the data in a “pretty” manner.
“Looking back that data is stored in not very understandable format (tables dumps) we‘ll take some time to sort it out and we posting a small part of the data, in ’human readable format (sample in json file)’ also we post all raw data,” the hacker wrote.
“We’ll continue posting data partially, need some time to do it pretty.”
The posts include dark web links to files that appear to include valid details of Australian healthcare interactions.
Full names, phone numbers, addresses, Medicare numbers, dates of birth, genders and the names of healthcare providers and the codes used by Medibank to list diagnosis and treatment are all listed in the data dump.
Medibank has apologised to its customers but says it doesn’t believe paying any ransom will ensure the data isn’t released.
“We believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published,” Medibank chief executive David Koczkar said.
‘Not happy at all’: Hack victim reveals fear for personal safety
A victim of the Medibank hack has claimed the insurer suggested she purchase a personal duress alarm to keep safe after personal details, including her address, may have been leaked in the data hack.
Hack victim Michelle Davison revealed to the Today show that she was having to consider extreme measures to protect herself while her personal details were in the hands of the hackers.
“One of the things they said to keep us safe was that we possibly will require personal duress alarms,” she said on Wednesday.
“So, are they concerned that these hackers are going to sell our information, that people are going to come to our houses and knock on our doors?”
Ms Davison said she was “not very happy at all” over the way the hack had been handled by the insurer.
“We have a company that takes our premiums each fortnight to provide a service if we require assistance for our health, but with that commitment is that they provide that service with the understanding that our information is going to be kept private,” she said.