In a letter to customers – the second in as many days – chief executive David Koczkar apologised “unreservedly” as he revealed the latest demands from the hackers and warned it is the tip of the iceberg.

“The criminal claims to have stolen other information, including data related to credit card security, which has not yet been verified by our investigations,” Mr Koczkar said.

“Our teams are continuing to work around the clock to understand what additional customer data has been affected, and how this will impact them. We expect the number of affected customers to grow as the incident continues.”

Meanwhile Medibank entered a voluntary suspension of ASX trade amid uncertainty over the financial impact of the incident.

The Office of the Australian Information Commissioner (OAIC) has also begun making “preliminary inquiries” with Medibank – which has more than 3.9 million customers – to ensure it complied with data breach and retention laws. Medibank confirmed it holds customer information for up to seven years, and for children up until they are 25.

It comes after the OAIC launched an investigation into a separate cyber attack on Optus and the telco’s handling of customer data – which could lead to civil penalties of up to $2.2 million per breach.

At Medibank, the hackers have already stolen “very specific” customer data, including sensitive health information such as the medical conditions customers have been diagnosed with and treatment they were prescribed.

This could potentially include deeply personal information relating to sexual health, serious diagnoses such as cancer, whether a woman has undergone a termination, and whether a person has been treated for a mental health condition or substance abuse.

Australian Information and Privacy Commissioner Angelene Falk said “this matter is understandably of great concern, given the sensitive information that may be involved”.

“As information is gathered and assessed, the number one priority is ensuring that Medibank customers have information and resources available to take steps to protect themselves from any risk arising as a result of their personal information being compromised,” Ms Falk said.

“We will be working with other government regulators and agencies in relation to the response to the breach.”

Medibank on Monday said there was “no indication that the incident was caused by a (foreign) state-based actor”. But it is still gathering details of the attack as it completes a forensic investigation, with the situation evolving daily.

The hackers warn it will release the personal information of Medibank’s high-profile customer first, unless their demands are met.

“We offer to start negotiations in another case we will start realising our ideas like 1. Selling your Database to third parties 2. But before this we will take 1k most media persons from your database (criteria is: most followers, politicians, actors, bloggers, LGBT activists, drug addictive people, etc). Also we’ve found people with very ­interesting diagnoses. And we’ll email them their information,” the ransom demand stated.

On Thursday Home Affairs Minister Clare O’Neil branded the hack a “dog act” and warned of “irreparable harm to some Australian citizens”.

Australian Federal Police and Australian Signals Directorate officers have been stationed inside Medibank and are working alongside private security firms to determine what was stolen and how the attackers infiltrated the company’s systems.

“We know that our customers, people, and the community want to know what data has been stolen, and how that may affect them,” Mr Koczkar said in his latest letter to customers.

“The criminal has provided a sample of records for 100 policies which we believe has come from our ahm and international student systems. That data includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data.

“This claims data includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures.”

The criminal gang says it has stolen about 200GB worth of customer information.

“As we have worked through this cyber incident, Medibank has committed to transparency about what we know, and how that could impact our customers, our people, and the broader community,” Mr Koczkar said.

“We will continue to contact affected customers. Medibank urges our customers to remain vigilant, and encourages them to seek independent advice from trusted sources, including the Australian Cyber Security Centre at cyber.gov.au.”

Medibank disclosed the attack last Thursday, and said in a series of updates that it was yet to find any evidence that customer data was stolen. But that changed on Wednesday, when the company said it had been approached by a hacking group, claiming to have stolen a trove of customer data and was threatening to release it publicly unless the health insurer paid a ransom.

In relation to the Optus hack, which stole the personal information of almost 10 million customers, the telco was referring questions to the Australian Federal Police, saying it did not want to compromise its investigation in catching the cyber criminals.

More Coverage

Directors to beef-up cyber security

JARED LYNCH

More related stories

Business

Don seeks new slice of life

What’s next for Brisbane pizza king Don Meij who announced this week he was leaving the Domino’s fast-food empire he built into a $4bn colossus over more than 30 years?

Read more

Property

REA on track after spring season listings pick up

The residential property market is healthy thanks to strong employment, high immigration, tax cuts and likely lower interest rates which will provide a boost in 2025, REA Group says.

Read more