Revealed: Hackers demanded $15m from Medibank
The cyber attackers initially demanded the national health insurer pay $US10 per impacted customer, before ‘discounting’ the ransom to $US1 per person.
The Russian hackers behind the major Medibank data breach have revealed their demand for $15 million in ransom for the stolen data.
The cyber attackers initially asked the national health insurer for $US10 per impacted customer, before “discounting” the demand to $US1 per person impacted.
At least 9.7 million Australians have been caught up in the breach – including 5.1 million Medibank customers.
A person claiming to be one of the hackers – who goes by the name John K Ram, like the villain from the SAW film franchise – disclosed their ransom demand overnight.
In a post on the dark web, it was revealed the hackers had asked for “10 millions USD, but could ‘discount’ the ransom for US $9.7m (AU $15.07m) – or US$1 per person impacted.”
Tranches of Medibank customers’ data have been released on Wednesday, ranging from phone numbers and Medicare numbers to detailed information relating to medical diagnosis and treatments.
Additional data appears to have been released on Thursday morning, with the hackers threatening to continue to release private information.
Hackers who breached Medibank servers have begun releasing sensitive information of the insurer’s customers, including medical histories detailing drug addiction and mental health diagnoses.
The first tranche of data was released on Wednesday after Medibank, the country’s largest health insurer, told the hacking group known as REvil that it would not pay a ransom.
The details were released in the form of two documents – titled the “naughty” and “nice” lists – and included names, addresses, dates of birth Medicare numbers and a list of diagnoses ranging from headaches to drug dependence.
At the same time, correspondence between Medibank and the group claiming responsibility for illegally accessing the personal records show the two parties spent weeks in discussions.
Medibank admitted on October 19 that hackers had stolen the information of 9.7 million customers and wished to negotiate a ransom. David Koczkar, Medibank’s chief executive, said on Monday that the company would nor pay, adding that if it caved in to demands, it would make Australia a softer target for repeat attacks.
WhatsApp messages and emails released by REvil appear to show lengthy discussions as Medibank sought to delay the release of information while it worked to verify whether the data the group had was its customers’ details.
The first series of messages were sent directly to Mr Koczkar, the correspondence shows.
“Hi! As your team is quite shy, we decided to make the first step in our negotiation,” the hackers wrote in a WhatsApp message to Mr Koczkar dated October 18.
“We have 200gb sensitive data from your RedShift Cluster. We offer to start negotiations in another case we will start realizing our ideas like 1. Selling your Database to third parties. 2. But before this we will take 1k most media persons from your database (criteria is: most followers, politicians, LGBT activist, drug addictive people etc ... Also we’ve found people with very interesting diagnoses.”
The hackers sent Mr Koczkar a file – the “naughty” list – containing the data of 100 customers.
On Wednesday, the company said it had “become aware that the criminal has released files on a dark web forum containing customer data that is believed to have been stolen from Medibank’s systems”. It added the files were a sample of the data earlier determined to have been illegally accessed. “We will continue to work around the clock to inform customers of what data we believe has been stolen and any of their data included in the files on the dark web and provide advice on what customers should do,” Medibank said in a statement.
Australian Federal Police will expand their investigation into an earlier data breach affecting Optus customers to the Medibank incident. The AFP said in a statement it was “aware that distressing and very personal information has been released on the dark web” and had immediately taken measures, including “covert techniques”, to identify further criminal activity.
“This is not just an attack on an Australian business. Law enforcement agencies across the globe know this a crime type that is borderless and requires evidence and capabilities to be shared,” AFP assistant commissioner Justine Gough said. “Blackmail is an offence and those who misuse stolen personal information for financial gain face a penalty of up to 10 years’ imprisonment.”
The hackers, according to files uploaded alongside the customer data, went on to negotiate with a company representative, who requested they verify themselves.
“We want to talk, but you send different messages to different people,” the representative wrote in an email purportedly sent on October 20. “We think some of these messages don’t come from you. Please tell us phone numbers and emails you used, so we know which ones are really you.
“You also can not send data to other people when we try talking with you. We need to confirm these things please. We try to make this work.”
A day later the hacker sent a full listing of stolen files to Medibank, to which the Medibank representative responded writing ‘Received. We need some time to review. We will get back to you.”
Four days later, on October 25, the hacker issued a new threat.
“Judging by your public statements, you are not in the mood for negotiations and we have nothing to do but start posting data and also inform users that their data has been compromised and this is purely the fault of your company,” the group wrote.
“In addition to informing, we will also drop the link to a public source where the data is published so that it would be easier for them to form a lawsuit, we will regularly post data every day and support the news feed.
“But we are also ready to give you a day to think about how you should be better. And we advise you to proceed to the discussion of the price of demand. In the event of a negative outcome of the negotiations for us, we will do everything in our power to inflict as much damage as possible for you, both financial and reputational.”
The Medibank representative said in response that the company was required to disclose the demands by law as it was ASX-listed
“We still want to work with you to protect our customers data. We don’t know who you are, so it’s very hard for you to trust (sic),” the representative wrote. “How do you we know you will destroy and never publish our customers (sic) data?”
On November 2, discussions broke down, with the hacker describing them as a dead end.
“After considering all actions, we have made a decision that we cannot pay your demand,” the representative wrote on November 5. “It is also Australian government policy that ransoms should not be paid. We understand the impact this may have.
“We unreservedly apologise to our customers,” Mr Koczkar said on Wednesday. “This is a criminal act designed to harm our customers and cause distress.”
Home Affairs Minister Clare O’Neil said she did not “have (the) words to express the disgust” she felt in response to the stolen data being published online.
“The fact that personal health information is being held over their head is just disgusting to me,” she said. “These cyber criminals ... they are just disgraceful human beings and we need to step up and do everything we can to fight back against them.”
Additional reporting: Sarah Ison, Ellen Ransley
More Coverage
iPhone 16 review: Apple faces its ‘Barbie moment’
Consumers and Barbie fans will be tickled pink by Apple’s new iPhone colours. But how do the new models stack up, and is buying a Pro still worth it? We take a look.
Meta urged to regulate youth data use
Meta’s new self-enforced safety standards have drawn attention to its use of young Australians’ private data, argued to be driving harms that are still unchecked.